Re: Securing "make check" (CVE-2014-0067)

On Thu, Mar 06, 2014 at 12:44:34PM -0500, Tom Lane wrote:
> Noah Misch <noah@leadboat.com> writes:
> > Thanks.  To avoid socket path length limitations, I lean toward placing the
> > socket temporary directory under /tmp rather than placing under the CWD:
> 
> I'm not thrilled with that; it's totally insecure on platforms where /tmp
> isn't "sticky", so it doesn't seem like an appropriate solution given
> that this discussion is now being driven by security concerns.
> 
> > http://www.postgresql.org/message-id/flat/20121129223632.GA15016@tornado.leadboat.com
> 
> I re-read that thread.  While we did fix the reporting end of it, ie
> the postmaster will now give you a clear failure message if your
> socket path is too long, that's going to be cold comfort to anyone
> who has to build in an environment they don't have much control over
> (such as my still-hypothetical-I-hope scenario about Red Hat package
> updates).
> 
> I'm inclined to suggest that we should put the socket under $CWD by
> default, but provide some way for the user to override that choice.
> If they want to put it in /tmp, it's on their head as to how secure
> that is.  On most modern platforms it'd be fine.

I am skeptical about the value of protecting systems with non-sticky /tmp, but
long $CWD isn't of great importance, either.  I'm fine with your suggestion.
Though the $CWD or one of its parents could be world-writable, that would
typically mean an attacker could just replace the test cases directly.

-- 
Noah Misch
EnterpriseDB                                 http://www.enterprisedb.com