Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit369c229

Browse files
committed
Document risks of "make check" in the regression testing instructions.
Since the temporary server started by "make check" uses "trust"authentication, another user on the same machine could connect to itas database superuser, and then potentially exploit the privileges ofthe operating-system user who started the tests. We should changethe testing procedures to prevent this risk; but discussion is requiredabout the best way to do that, as well as more testing than is practicalfor an undisclosed security problem. Besides, the same issue probablyaffects some user-written test harnesses. So for the moment, we'll justwarn people against using "make check" when there are untrusted users onthe same machine.In passing, remove some ancient advice that suggested making theregression testing subtree world-writable if you'd built as root.That looks dangerously insecure in modern contexts, and anyway weshould not be encouraging people to build Postgres as root.Security:CVE-2014-0067
1 parent45bf240 commit369c229

File tree

1 file changed

+22
-16
lines changed

1 file changed

+22
-16
lines changed

‎doc/src/sgml/regress.sgml

Lines changed: 22 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -55,25 +55,31 @@ gmake check
5555
<quote>failure</> represents a serious problem.
5656
</para>
5757

58+
<warning>
5859
<para>
59-
Because thistest methodruns a temporary server,it will not work
60-
when you aretheroot user (since the server will not start as root).
61-
If you already did the build as root, you do not have to start all
62-
over. Instead, make the regression test directory writable by
63-
some other user, log in asthatuser, and restart the tests.
64-
For example:
65-
<screen>
66-
<prompt>root# </prompt><userinput>chmod -R a+w src/test/regress</userinput>
67-
<prompt>root# </prompt><userinput>su - joeuser</userinput>
68-
<prompt>joeuser$ </prompt><userinput>cd <replaceable>top-level build directory</></userinput>
69-
<prompt>joeuser$ </prompt><userinput>gmake check</userinput>
70-
</screen>
71-
(The only possible <quote>security risk</quote> here is that other
72-
users might be able to alter the regression test results behind
73-
your back. Use common sense when managing user permissions.)
60+
Thistest methodstarts a temporary server,which is configured to accept
61+
any connection originating onthelocal machine. Any local user can gain
62+
database superuser privileges when connecting to this server, and could
63+
in principle exploit all privileges of the operating-system user running
64+
the tests. Therefore, it is not recommendedthatyou use <literal>gmake
65+
check</> on machines shared with untrusted users. Instead, run the tests
66+
after completing the installation, as described in the next section.
67+
</para>
68+
69+
<para>
70+
On Unix-like machines, this danger can be avoided if the temporary
71+
server's socket file is made inaccessible to other users, for example
72+
by running the tests in a protected chroot. On Windows, the temporary
73+
server opens a locally-accessible TCP socket, so filesystem protections
74+
cannot help.
7475
</para>
76+
</warning>
77+
7578
<para>
76-
Alternatively, run the tests after installation.
79+
Because this test method runs a temporary server, it will not work
80+
if you did the build as the root user, since the server will not start as
81+
root. Recommended procedure is not to do the build as root, or else to
82+
perform testing after completing the installation.
7783
</para>
7884

7985
<para>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp