mirrors
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Secure Unix-domain sockets of "make check" temporary clusters. 

Any OS user able to access the socket can connect as the bootstrap
superuser and in turn execute arbitrary code as the OS user running the
test.  Protect against that by placing the socket in the temporary data
directory, which has mode 0700 thanks to initdb.  Back-patch to 8.4 (all
supported versions).  The hazard remains wherever the temporary cluster
accepts TCP connections, notably on Windows.

Attempts to run "make check" from a directory with a long name will now
fail.  An alternative not sharing that problem was to place the socket
in a subdirectory of /tmp, but that is only secure if /tmp is sticky.
The PG_REGRESS_SOCK_DIR environment variable is available as a
workaround when testing from long directory paths.

As a convenient side effect, this lets testing proceed smoothly in
builds that override DEFAULT_PGSOCKET_DIR.  Popular non-default values
like /var/run/postgresql are often unwritable to the build user.

Security: CVE-2014-0067
This commit is contained in:
Noah Misch 2014-03-29 00:52:56 -04:00
parent fbd32b0cab
commit 31c6e54ec9
3 changed files with 48 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/pg_upgrade/test.sh
View File

@ -25,8 +25,6 @@ case $testhost in
*) LISTEN_ADDRESSES="" ;; *) LISTEN_ADDRESSES="" ;;
esac esac
POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES"
temp_root=$PWD/tmp_check temp_root=$PWD/tmp_check
if [ "$1" = '--install' ]; then if [ "$1" = '--install' ]; then
@ -86,13 +84,16 @@ PGSERVICE=""; unset PGSERVICE
PGSSLMODE=""; unset PGSSLMODE PGSSLMODE=""; unset PGSSLMODE
PGREQUIRESSL=""; unset PGREQUIRESSL PGREQUIRESSL=""; unset PGREQUIRESSL
PGCONNECT_TIMEOUT=""; unset PGCONNECT_TIMEOUT PGCONNECT_TIMEOUT=""; unset PGCONNECT_TIMEOUT
PGHOST=""; unset PGHOST
PGHOSTADDR=""; unset PGHOSTADDR PGHOSTADDR=""; unset PGHOSTADDR
# Select a non-conflicting port number, similarly to pg_regress.c # Select a port number and socket directory, similarly to pg_regress.c
PG_VERSION_NUM=`grep '#define PG_VERSION_NUM' $newsrc/src/include/pg_config.h | awk '{print $3}'` PG_VERSION_NUM=`grep '#define PG_VERSION_NUM' $newsrc/src/include/pg_config.h | awk '{print $3}'`
PGPORT=`expr $PG_VERSION_NUM % 16384 + 49152` PGPORT=`expr $PG_VERSION_NUM % 16384 + 49152`
export PGPORT export PGPORT
PGHOST=${PG_REGRESS_SOCK_DIR-$PGDATA}
export PGHOST
POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES -k \"$PGHOST\""
i=0 i=0
while psql -X postgres </dev/null 2>/dev/null while psql -X postgres </dev/null 2>/dev/null

34
doc/src/sgml/regress.sgml
View File

@ -58,21 +58,14 @@ make check
<warning> <warning>
<para> <para>
This test method starts a temporary server, which is configured to accept On systems lacking Unix-domain sockets, notably Windows, this test method
any connection originating on the local machine. Any local user can gain starts a temporary server configured to accept any connection originating
database superuser privileges when connecting to this server, and could on the local machine. Any local user can gain database superuser
in principle exploit all privileges of the operating-system user running privileges when connecting to this server, and could in principle exploit
the tests. Therefore, it is not recommended that you use <literal>make all privileges of the operating-system user running the tests. Therefore,
check</> on machines shared with untrusted users. Instead, run the tests it is not recommended that you use <literal>make check</> on an affected
after completing the installation, as described in the next section. system shared with untrusted users. Instead, run the tests after
</para> completing the installation, as described in the next section.
<para>
On Unix-like machines, this danger can be avoided if the temporary
server's socket file is made inaccessible to other users, for example
by running the tests in a protected chroot. On Windows, the temporary
server opens a locally-accessible TCP socket, so filesystem protections
cannot help.
</para> </para>
</warning> </warning>
@ -111,6 +104,17 @@ make MAX_CONNECTIONS=10 check
</screen> </screen>
runs no more than ten tests concurrently. runs no more than ten tests concurrently.
</para> </para>
<para>
To protect your operating system user account, the test driver places the
server's socket in a relative subdirectory inaccessible to other users.
Since most systems constrain the length of socket paths well
below <literal>_POSIX_PATH_MAX</>, testing may fail to start from a
directory with a long name. Work around this problem by pointing
the <envar>PG_REGRESS_SOCK_DIR</> environment variable to a substitute
socket directory having a shorter path. On a multi-user system, give that
directory mode <literal>0700</>.
</para>
</sect2> </sect2>
<sect2> <sect2>

31
src/test/regress/pg_regress.c
View File

@ -109,6 +109,7 @@ static const char *progname;
static char *logfilename; static char *logfilename;
static FILE *logfile; static FILE *logfile;
static char *difffilename; static char *difffilename;
static char *sockdir;
static _resultmap *resultmap = NULL; static _resultmap *resultmap = NULL;
@ -758,8 +759,7 @@ initialize_environment(void)
* the wrong postmaster, or otherwise behave in nondefault ways. (Note * the wrong postmaster, or otherwise behave in nondefault ways. (Note
* we also use psql's -X switch consistently, so that ~/.psqlrc files * we also use psql's -X switch consistently, so that ~/.psqlrc files
* won't mess things up.) Also, set PGPORT to the temp port, and set * won't mess things up.) Also, set PGPORT to the temp port, and set
* or unset PGHOST depending on whether we are using TCP or Unix * PGHOST depending on whether we are using TCP or Unix sockets.
* sockets.
*/ */
unsetenv("PGDATABASE"); unsetenv("PGDATABASE");
unsetenv("PGUSER"); unsetenv("PGUSER");
@ -771,7 +771,23 @@ initialize_environment(void)
if (hostname != NULL) if (hostname != NULL)
doputenv("PGHOST", hostname); doputenv("PGHOST", hostname);
else else
unsetenv("PGHOST"); {
sockdir = getenv("PG_REGRESS_SOCK_DIR");
if (!sockdir)
{
/*
* Since initdb creates the data directory with secure
* permissions, we place the socket there. This ensures no
* other OS user can open our socket to exploit our use of
* trust authentication. Compared to using the compiled-in
* DEFAULT_PGSOCKET_DIR, this also permits testing to work in
* builds that relocate it to a directory not writable to the
* build/test user.
*/
sockdir = psprintf("%s/data", temp_install);
}
doputenv("PGHOST", sockdir);
}
unsetenv("PGHOSTADDR"); unsetenv("PGHOSTADDR");
if (port != -1) if (port != -1)
{ {
@ -2265,10 +2281,11 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
*/ */
header(_("starting postmaster")); header(_("starting postmaster"));
snprintf(buf, sizeof(buf), snprintf(buf, sizeof(buf),
SYSTEMQUOTE "\"%s/postgres\" -D \"%s/data\" -F%s -c \"listen_addresses=%s\" > \"%s/log/postmaster.log\" 2>&1" SYSTEMQUOTE, SYSTEMQUOTE "\"%s/postgres\" -D \"%s/data\" -F%s "
bindir, temp_install, "-c \"listen_addresses=%s\" -k \"%s\" "
debug ? " -d 5" : "", "> \"%s/log/postmaster.log\" 2>&1" SYSTEMQUOTE,
hostname ? hostname : "", bindir, temp_install, debug ? " -d 5" : "",
hostname ? hostname : "", sockdir ? sockdir : "",
outputdir); outputdir);
postmaster_pid = spawn_process(buf); postmaster_pid = spawn_process(buf);
if (postmaster_pid == INVALID_PID) if (postmaster_pid == INVALID_PID)