NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit0046f65

committed

Lock down regression testing temporary clusters on Windows.

Use SSPI authentication to allow connections exclusively from the OSuser that launched the test suite. This closes on Windows thevulnerability that commitbe76a6dclosed on other platforms. Users of "make installcheck" or custom testharnesses can run "pg_regress --config-auth=DATADIR" to activate thesame authentication configuration that "make check" would use.Back-patch to 9.0 (all supported versions).Security:CVE-2014-0067

1 parentd1131ae commit0046f65Copy full SHA for 0046f65

File tree

7 files changed

+200

-24

lines changed

contrib
- dblink
  - Makefile
  - expected
    - dblink.out
  - sql
    - dblink.sql
- pg_upgrade
  - test.sh
doc/src/sgml
- regress.sgml
src
- test/regress
  - pg_regress.c
- tools/msvc
  - vcregress.pl

7 files changed

+200

-24

lines changed

`‎contrib/dblink/Makefile`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,8 @@ EXTENSION = dblink`
`10`	`10`	`DATA = dblink--1.0.sql dblink--unpackaged--1.0.sql`
`11`	`11`
`12`	`12`	`REGRESS = paths dblink`
`13`		`-REGRESS_OPTS = --dlpath=$(top_builddir)/src/test/regress`
	`13`	`+REGRESS_OPTS = --dlpath=$(top_builddir)/src/test/regress\`
	`14`	`+--create-role=dblink_regression_test`
`14`	`15`	`EXTRA_CLEAN = sql/paths.sql expected/paths.out`
`15`	`16`
`16`	`17`	`# the db name is hard-coded in the tests`

`‎contrib/dblink/expected/dblink.out`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -811,7 +811,6 @@ SELECT dblink_disconnect('dtest1');`
`811`	`811`	`(1 row)`
`812`	`812`
`813`	`813`	`-- test foreign data wrapper functionality`
`814`		`-CREATE USER dblink_regression_test;`
`815`	`814`	`CREATE FOREIGN DATA WRAPPER postgresql;`
`816`	`815`	`CREATE SERVER fdtest FOREIGN DATA WRAPPER postgresql OPTIONS (dbname 'contrib_regression');`
`817`	`816`	`CREATE USER MAPPING FOR public SERVER fdtest;`
`@@ -849,7 +848,6 @@ SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[])`
`849`	`848`	`\c - :ORIGINAL_USER`
`850`	`849`	`REVOKE USAGE ON FOREIGN SERVER fdtest FROM dblink_regression_test;`
`851`	`850`	`REVOKE EXECUTE ON FUNCTION dblink_connect_u(text, text) FROM dblink_regression_test;`
`852`		`-DROP USER dblink_regression_test;`
`853`	`851`	`DROP USER MAPPING FOR public SERVER fdtest;`
`854`	`852`	`DROP SERVER fdtest;`
`855`	`853`	`DROP FOREIGN DATA WRAPPER postgresql;`

`‎contrib/dblink/sql/dblink.sql`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -387,7 +387,6 @@ SELECT dblink_error_message('dtest1');`
`387`	`387`	`SELECT dblink_disconnect('dtest1');`
`388`	`388`
`389`	`389`	`-- test foreign data wrapper functionality`
`390`		`-CREATEUSERdblink_regression_test;`
`391`	`390`
`392`	`391`	`CREATE FOREIGN DATA WRAPPER postgresql;`
`393`	`392`	`CREATE SERVER fdtest FOREIGN DATA WRAPPER postgresql OPTIONS (dbname'contrib_regression');`
`@@ -406,7 +405,6 @@ SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[])`
`406`	`405`	`\c- :ORIGINAL_USER`
`407`	`406`	`REVOKE USAGEON FOREIGN SERVER fdtestFROM dblink_regression_test;`
`408`	`407`	`REVOKE EXECUTEON FUNCTION dblink_connect_u(text,text)FROM dblink_regression_test;`
`409`		`-DROPUSER dblink_regression_test;`
`410`	`408`	`DROPUSER MAPPING FOR public SERVER fdtest;`
`411`	`409`	`DROP SERVER fdtest;`
`412`	`410`	`DROP FOREIGN DATA WRAPPER postgresql;`

`‎contrib/pg_upgrade/test.sh`

Lines changed: 11 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,13 +15,20 @@ set -e`
`15`	`15`	`:${PGPORT=50432}`
`16`	`16`	`export PGPORT`
`17`	`17`
	`18`	`+# Run a given "initdb" binary and overlay the regression testing`
	`19`	`+# authentication configuration.`
	`20`	`+standard_initdb() {`
	`21`	`+"$1"`
	`22`	`+../../src/test/regress/pg_regress --config-auth"$PGDATA"`
	`23`	`+}`
	`24`	`+`
`18`	`25`	`# Establish how the server will listen for connections`
`19`	`26`	testhost=`uname -s`
`20`	`27`
`21`	`28`	`case$testhostin`
`22`	`29`	`MINGW*)`
`23`	`30`	`LISTEN_ADDRESSES="localhost"`
`24`		`-PGHOST="";unset PGHOST`
	`31`	`+PGHOST=localhost`
`25`	`32`	`;;`
`26`	`33`	`*)`
`27`	`34`	`LISTEN_ADDRESSES=""`
`@@ -47,11 +54,11 @@ case $testhost in`
`47`	`54`	`trap'rm -rf "$PGHOST"' 0`
`48`	`55`	`trap'exit 3' 1 2 13 15`
`49`	`56`	`fi`
`50`		`-export PGHOST`
`51`	`57`	`;;`
`52`	`58`	`esac`
`53`	`59`
`54`	`60`	`POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES -k\"$PGHOST\""`
	`61`	`+export PGHOST`
`55`	`62`
`56`	`63`	`temp_root=$PWD/tmp_check`
`57`	`64`
`@@ -117,7 +124,7 @@ mkdir "$logdir"`
`117`	`124`	`# enable echo so the user can see what is being executed`
`118`	`125`	`set -x`
`119`	`126`
`120`		`-$oldbindir/initdb`
	`127`	`+standard_initdb"$oldbindir"/initdb`
`121`	`128`	`$oldbindir/pg_ctl start -l"$logdir/postmaster1.log" -o"$POSTMASTER_OPTS" -w`
`122`	`129`	`if"$MAKE" -C"$oldsrc" installcheck;then`
`123`	`130`	`pg_dumpall -f"$temp_root"/dump1.sql\|\| pg_dumpall1_status=$?`
`@@ -157,7 +164,7 @@ fi`
`157`	`164`
`158`	`165`	`PGDATA=$BASE_PGDATA`
`159`	`166`
`160`		`-initdb`
	`167`	`+standard_initdb'initdb'`
`161`	`168`
`162`	`169`	`pg_upgrade -d"${PGDATA}.old" -D"${PGDATA}" -b"$oldbindir" -B"$bindir"`
`163`	`170`

`‎doc/src/sgml/regress.sgml`

Lines changed: 0 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -56,19 +56,6 @@ gmake check`
`56`	`56`	`<quote>failure</> represents a serious problem.`
`57`	`57`	`</para>`
`58`	`58`
`59`		`- <warning>`
`60`		`- <para>`
`61`		`- On systems lacking Unix-domain sockets, notably Windows, this test method`
`62`		`- starts a temporary server configured to accept any connection originating`
`63`		`- on the local machine. Any local user can gain database superuser`
`64`		`- privileges when connecting to this server, and could in principle exploit`
`65`		`- all privileges of the operating-system user running the tests. Therefore,`
`66`		`- it is not recommended that you use <literal>gmake check</> on an affected`
`67`		`- system shared with untrusted users. Instead, run the tests after`
`68`		`- completing the installation, as described in the next section.`
`69`		`- </para>`
`70`		`- </warning>`
`71`		`-`
`72`	`59`	`<para>`
`73`	`60`	`Because this test method runs a temporary server, it will not work`
`74`	`61`	`if you did the build as the root user, since the server will not start as`

`‎src/test/regress/pg_regress.c`

Lines changed: 175 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,7 @@ static char *dlpath = PKGLIBDIR;`
`105`	`105`	`staticchar*user=NULL;`
`106`	`106`	`static_stringlist*extraroles=NULL;`
`107`	`107`	`static_stringlist*extra_install=NULL;`
	`108`	`+staticchar*config_auth_datadir=NULL;`
`108`	`109`
`109`	`110`	`/* internal variables */`
`110`	`111`	`staticconstchar*progname;`
`@@ -970,6 +971,150 @@ initialize_environment(void)`
`970`	`971`	`load_resultmap();`
`971`	`972`	`}`
`972`	`973`
	`974`	`+#ifdefENABLE_SSPI`
	`975`	`+/*`
	`976`	`+ * Get account and domain/realm names for the current user. This is based on`
	`977`	`+ * pg_SSPI_recvauth(). The returned strings use static storage.`
	`978`	`+ */`
	`979`	`+staticvoid`
	`980`	`+current_windows_user(constcharacct,constchardom)`
	`981`	`+{`
	`982`	`+staticcharaccountname[MAXPGPATH];`
	`983`	`+staticchardomainname[MAXPGPATH];`
	`984`	`+HANDLEtoken;`
	`985`	`+TOKEN_USER*tokenuser;`
	`986`	`+DWORDretlen;`
	`987`	`+DWORDaccountnamesize=sizeof(accountname);`
	`988`	`+DWORDdomainnamesize=sizeof(domainname);`
	`989`	`+SID_NAME_USEaccountnameuse;`
	`990`	`+`
	`991`	`+if (!OpenProcessToken(GetCurrentProcess(),TOKEN_READ,&token))`
	`992`	`+{`
	`993`	`+fprintf(stderr,`
	`994`	`+_("%s: could not open process token: error code %lu\n"),`
	`995`	`+progname,GetLastError());`
	`996`	`+exit(2);`
	`997`	`+}`
	`998`	`+`
	`999`	`+if (!GetTokenInformation(token,TokenUser,NULL,0,&retlen)&&GetLastError()!=122)`
	`1000`	`+{`
	`1001`	`+fprintf(stderr,`
	`1002`	`+_("%s: could not get token user size: error code %lu\n"),`
	`1003`	`+progname,GetLastError());`
	`1004`	`+exit(2);`
	`1005`	`+}`
	`1006`	`+tokenuser=malloc(retlen);`
	`1007`	`+if (!GetTokenInformation(token,TokenUser,tokenuser,retlen,&retlen))`
	`1008`	`+{`
	`1009`	`+fprintf(stderr,`
	`1010`	`+_("%s: could not get token user: error code %lu\n"),`
	`1011`	`+progname,GetLastError());`
	`1012`	`+exit(2);`
	`1013`	`+}`
	`1014`	`+`
	`1015`	`+if (!LookupAccountSid(NULL,tokenuser->User.Sid,accountname,&accountnamesize,`
	`1016`	`+domainname,&domainnamesize,&accountnameuse))`
	`1017`	`+{`
	`1018`	`+fprintf(stderr,`
	`1019`	`+_("%s: could not look up account SID: error code %lu\n"),`
	`1020`	`+progname,GetLastError());`
	`1021`	`+exit(2);`
	`1022`	`+}`
	`1023`	`+`
	`1024`	`+free(tokenuser);`
	`1025`	`+`
	`1026`	`+*acct=accountname;`
	`1027`	`+*dom=domainname;`
	`1028`	`+}`
	`1029`	`+`
	`1030`	`+/*`
	`1031`	`+ * Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit`
	`1032`	`+ * the current OS user to authenticate as the bootstrap superuser and as any`
	`1033`	`+ * user named in a --create-role option.`
	`1034`	`+ */`
	`1035`	`+staticvoid`
	`1036`	`+config_sspi_auth(constchar*pgdata)`
	`1037`	`+{`
	`1038`	`+constchar*accountname,`
	`1039`	`+*domainname;`
	`1040`	`+charusername[128];`
	`1041`	`+DWORDsz=sizeof(username)-1;`
	`1042`	`+charfname[MAXPGPATH];`
	`1043`	`+intres;`
	`1044`	`+FILE*hba,`
	`1045`	`+*ident;`
	`1046`	`+_stringlist*sl;`
	`1047`	`+`
	`1048`	`+/*`
	`1049`	`+ * "username", the initdb-chosen bootstrap superuser name, may always`
	`1050`	`+ * match "accountname", the value SSPI authentication discovers. The`
	`1051`	`+ * underlying system functions do not clearly guarantee that.`
	`1052`	`+ */`
	`1053`	`+current_windows_user(&accountname,&domainname);`
	`1054`	`+if (!GetUserName(username,&sz))`
	`1055`	`+{`
	`1056`	`+fprintf(stderr,_("%s: could not get current user name: %s\n"),`
	`1057`	`+progname,strerror(errno));`
	`1058`	`+exit(2);`
	`1059`	`+}`
	`1060`	`+`
	`1061`	`+/* Check a Write outcome and report any error. */`
	`1062`	`+#defineCW(cond)\`
	`1063`	`+do { \`
	`1064`	`+if (!(cond)) \`
	`1065`	`+{ \`
	`1066`	`+fprintf(stderr, _("%s: could not write to file \"%s\": %s\n"), \`
	`1067`	`+progname, fname, strerror(errno)); \`
	`1068`	`+exit(2); \`
	`1069`	`+} \`
	`1070`	`+} while (0)`
	`1071`	`+`
	`1072`	`+res=snprintf(fname,sizeof(fname),"%s/pg_hba.conf",pgdata);`
	`1073`	`+if (res<0\|\|res >=sizeof(fname)-1)`
	`1074`	`+{`
	`1075`	`+/*`
	`1076`	`+ * Truncating this name is a fatal error, because we must not fail to`
	`1077`	`+ * overwrite an original trust-authentication pg_hba.conf.`
	`1078`	`+ */`
	`1079`	`+fprintf(stderr,_("%s: directory name too long\n"),progname);`
	`1080`	`+exit(2);`
	`1081`	`+}`
	`1082`	`+hba=fopen(fname,"w");`
	`1083`	`+if (hba==NULL)`
	`1084`	`+{`
	`1085`	`+fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),`
	`1086`	`+progname,fname,strerror(errno));`
	`1087`	`+exit(2);`
	`1088`	`+}`
	`1089`	`+CW(fputs("# Configuration written by config_sspi_auth()\n",hba) >=0);`
	`1090`	`+CW(fputs("host all all 127.0.0.1/32 sspi include_realm=1 map=regress\n",`
	`1091`	`+hba) >=0);`
	`1092`	`+CW(fclose(hba)==0);`
	`1093`	`+`
	`1094`	`+snprintf(fname,sizeof(fname),"%s/pg_ident.conf",pgdata);`
	`1095`	`+ident=fopen(fname,"w");`
	`1096`	`+if (ident==NULL)`
	`1097`	`+{`
	`1098`	`+fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),`
	`1099`	`+progname,fname,strerror(errno));`
	`1100`	`+exit(2);`
	`1101`	`+}`
	`1102`	`+CW(fputs("# Configuration written by config_sspi_auth()\n",ident) >=0);`
	`1103`	`+`
	`1104`	`+/*`
	`1105`	`+ * Double-quote for the benefit of account names containing whitespace or`
	`1106`	`+ * '#'. Windows forbids the double-quote character itself, so don't`
	`1107`	`+ * bother escaping embedded double-quote characters.`
	`1108`	`+ */`
	`1109`	`+CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",`
	`1110`	`+accountname,domainname,username) >=0);`
	`1111`	`+for (sl=extraroles;sl;sl=sl->next)`
	`1112`	`+CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",`
	`1113`	`+accountname,domainname,sl->str) >=0);`
	`1114`	`+CW(fclose(ident)==0);`
	`1115`	`+}`
	`1116`	`+#endif`
	`1117`	`+`
`973`	`1118`	`/*`
`974`	`1119`	`* Issue a command via psql, connecting to the specified database`
`975`	`1120`	`*`
`@@ -1969,6 +2114,7 @@ help(void)`
`1969`	`2114`	`printf(_("Usage:\n %s [OPTION]... [EXTRA-TEST]...\n"),progname);`
`1970`	`2115`	`printf(_("\n"));`
`1971`	`2116`	`printf(_("Options:\n"));`
	`2117`	`+printf(_(" --config-auth=DATADIR update authentication settings for DATADIR\n"));`
`1972`	`2118`	`printf(_(" --create-role=ROLE create the specified role before testing\n"));`
`1973`	`2119`	`printf(_(" --dbname=DB use database DB (default \"regression\")\n"));`
`1974`	`2120`	`printf(_(" --debug turn on debug mode in programs that are run\n"));`
`@@ -2042,6 +2188,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc`
`2042`	`2188`	`{"launcher",required_argument,NULL,21},`
`2043`	`2189`	`{"load-extension",required_argument,NULL,22},`
`2044`	`2190`	`{"extra-install",required_argument,NULL,23},`
	`2191`	`+{"config-auth",required_argument,NULL,24},`
`2045`	`2192`	`{NULL,0,NULL,0}`
`2046`	`2193`	`};`
`2047`	`2194`
`@@ -2146,6 +2293,14 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc`
`2146`	`2293`	`case23:`
`2147`	`2294`	`add_stringlist_item(&extra_install,optarg);`
`2148`	`2295`	`break;`
	`2296`	`+case24:`
	`2297`	`+config_auth_datadir=strdup(optarg);`
	`2298`	`+if (!config_auth_datadir)`
	`2299`	`+{`
	`2300`	`+fprintf(stderr,_("out of memory\n"));`
	`2301`	`+exit(EXIT_FAILURE);`
	`2302`	`+}`
	`2303`	`+break;`
`2149`	`2304`	`default:`
`2150`	`2305`	`/* getopt_long already emitted a complaint */`
`2151`	`2306`	`fprintf(stderr,_("\nTry \"%s -h\" for more information.\n"),`
`@@ -2163,6 +2318,14 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc`
`2163`	`2318`	`optind++;`
`2164`	`2319`	`}`
`2165`	`2320`
	`2321`	`+if (config_auth_datadir)`
	`2322`	`+{`
	`2323`	`+#ifdefENABLE_SSPI`
	`2324`	`+config_sspi_auth(config_auth_datadir);`
	`2325`	`+#endif`
	`2326`	`+exit(0);`
	`2327`	`+}`
	`2328`	`+`
`2166`	`2329`	`if (temp_install&& !port_specified_by_user)`
`2167`	`2330`
`2168`	`2331`	`/*`
`@@ -2303,6 +2466,18 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc`
`2303`	`2466`
`2304`	`2467`	`fclose(pg_conf);`
`2305`	`2468`
	`2469`	`+#ifdefENABLE_SSPI`
	`2470`	`+`
	`2471`	`+/*`
	`2472`	`+ * Since we successfully used the same buffer for the much-longer`
	`2473`	`+ * "initdb" command, this can't truncate.`
	`2474`	`+ */`
	`2475`	`+snprintf(buf,sizeof(buf),"%s/data",temp_install);`
	`2476`	`+config_sspi_auth(buf);`
	`2477`	`+#elif !defined(HAVE_UNIX_SOCKETS)`
	`2478`	`+#error Platform has no means to secure the test installation.`
	`2479`	`+#endif`
	`2480`	`+`
`2306`	`2481`	`/*`
`2307`	`2482`	`* Check if there is a postmaster running already.`
`2308`	`2483`	`*/`

`‎src/tools/msvc/vcregress.pl`

Lines changed: 12 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,15 @@ sub contribcheck`
`241`	`241`	`exit$mstatif$mstat;`
`242`	`242`	`}`
`243`	`243`
	`244`	`+# Run "initdb", then reconfigure authentication.`
	`245`	`+substandard_initdb`
	`246`	`+{`
	`247`	`+return (`
	`248`	`+system('initdb','-N') == 0andsystem(`
	`249`	`+"$topdir/$Config/pg_regress/pg_regress",'--config-auth',`
	`250`	`+$ENV{PGDATA}) == 0);`
	`251`	`+}`
	`252`	`+`
`244`	`253`	`subupgradecheck`
`245`	`254`	`{`
`246`	`255`	`my$status;`
`@@ -252,6 +261,7 @@ sub upgradecheck`
`252`	`261`	`# i.e. only this version to this version check. That's`
`253`	`262`	`# what pg_upgrade's "make check" does.`
`254`	`263`
	`264`	`+$ENV{PGHOST} ='localhost';`
`255`	`265`	`$ENV{PGPORT} \|\|= 50432;`
`256`	`266`	`my$tmp_root ="$topdir/contrib/pg_upgrade/tmp_check";`
`257`	`267`	`(mkdir$tmp_root \|\|die$!)unless-d$tmp_root;`
`@@ -268,7 +278,7 @@ sub upgradecheck`
`268`	`278`	`my$logdir ="$topdir/contrib/pg_upgrade/log";`
`269`	`279`	`(mkdir$logdir \|\|die$!)unless-d$logdir;`
`270`	`280`	`print"\nRunning initdb on old cluster\n\n";`
`271`		`-system("initdb") == 0orexit 1;`
	`281`	`+standard_initdb()orexit 1;`
`272`	`282`	`print"\nStarting old cluster\n\n";`
`273`	`283`	`system("pg_ctl start -l$logdir/postmaster1.log -w") == 0orexit 1;`
`274`	`284`	`print"\nSetting up data for upgrading\n\n";`
`@@ -281,7 +291,7 @@ sub upgradecheck`
`281`	`291`	`system("pg_ctl -m fast stop") == 0orexit 1;`
`282`	`292`	`$ENV{PGDATA} ="$data";`
`283`	`293`	`print"\nSetting up new cluster\n\n";`
`284`		`-system("initdb") == 0orexit 1;`
	`294`	`+standard_initdb()orexit 1;`
`285`	`295`	`print"\nRunning pg_upgrade\n\n";`
`286`	`296`	`system("pg_upgrade -d$data.old -D$data -b$bindir -B$bindir") == 0`
`287`	`297`	`orexit 1;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0046f65

File tree

7 files changed

7 files changed

`‎contrib/dblink/Makefile`

`‎contrib/dblink/expected/dblink.out`

`‎contrib/dblink/sql/dblink.sql`

`‎contrib/pg_upgrade/test.sh`

`‎doc/src/sgml/regress.sgml`

`‎src/test/regress/pg_regress.c`

`‎src/tools/msvc/vcregress.pl`

0 commit comments