Re: pgsql: Revert "Secure Unix-domain sockets of "make check" temporary clu

On Sat, Mar 29, 2014 at 01:48:33PM -0400, Andrew Dunstan wrote:
> On 03/29/2014 01:22 PM, Noah Misch wrote:
> >http://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=dromedary&dt=2014-03-29%2007%3A02%3A48
>
> Hmm. Can we use a location with a bit more head room than the
> tmp_check/data directory? Maybe something like src/test/sockets?
> Note that the buildfarm's buildroot (the part of the name before the
> branch name) is not terribly long in some of these cases. e.g. in
> the first case it's only 32 chars long.

That's tempting, but I don't think freeing up ~25 bytes changes the verdict.
Christoph brought up that Debian builds in directory trees deeper than those
the buildfarm uses, and I suspect Debian is not alone.

I think we're back looking at using a subdirectory of /tmp, with the open
question being what properties (sticky bit, ownership, _PC_CHOWN_RESTRICTED),
if any, to verify on /tmp and its parent(s) before proceeding.  I looked
around to see what other projects are doing.  File::Temp is the one project I
found that has an option[1], disabled by default, to security-check /tmp.
Even OpenSSH simply assumes /tmp is suitable.  Perhaps the threat of insecure
/tmp has received less attention than it deserves, or perhaps secure /tmp is
considered a mandatory component of a multi-user Unix system.  In any event, I
do not feel the need to put PostgreSQL "make check" in the vanguard concerning
this issue.  Assuming a secure /tmp, like OpenSSH does, is reasonable.

--
Noah Misch
EnterpriseDB                                 http://www.enterprisedb.com

[1] http://search.cpan.org/~dagolden/File-Temp-0.2304/lib/File/Temp.pm#safe_level