Re: Securing "make check" (CVE-2014-0067)

On Thu, Mar 06, 2014 at 11:52:22PM -0500, Noah Misch wrote:
> On Thu, Mar 06, 2014 at 12:44:34PM -0500, Tom Lane wrote:
> > I'm inclined to suggest that we should put the socket under $CWD by
> > default, but provide some way for the user to override that choice.
> > If they want to put it in /tmp, it's on their head as to how secure
> > that is.  On most modern platforms it'd be fine.
>
> I am skeptical about the value of protecting systems with non-sticky /tmp, but
> long $CWD isn't of great importance, either.  I'm fine with your suggestion.
> Though the $CWD or one of its parents could be world-writable, that would
> typically mean an attacker could just replace the test cases directly.

Here's the patch.  The temporary data directory makes for a convenient socket
directory; initdb already gives it mode 0700, and we have existing
arrangements to purge it when finished.  One can override the socket directory
by defining PG_REGRESS_SOCK_DIR in the environment.

nm

--
Noah Misch
EnterpriseDB                                 http://www.enterprisedb.com