Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit442dc2c

Browse files
committed
Lock down regression testing temporary clusters on Windows.
Use SSPI authentication to allow connections exclusively from the OSuser that launched the test suite. This closes on Windows thevulnerability that commitbe76a6dclosed on other platforms. Users of "make installcheck" or custom testharnesses can run "pg_regress --config-auth=DATADIR" to activate thesame authentication configuration that "make check" would use.Back-patch to 9.0 (all supported versions).Security:CVE-2014-0067
1 parent83fffec commit442dc2c

File tree

7 files changed

+195
-24
lines changed

7 files changed

+195
-24
lines changed

‎contrib/dblink/Makefile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@ EXTENSION = dblink
1010
DATA = dblink--1.1.sql dblink--1.0--1.1.sql dblink--unpackaged--1.0.sql
1111

1212
REGRESS = paths dblink
13-
REGRESS_OPTS = --dlpath=$(top_builddir)/src/test/regress
13+
REGRESS_OPTS = --dlpath=$(top_builddir)/src/test/regress\
14+
--create-role=dblink_regression_test
1415
EXTRA_CLEAN = sql/paths.sql expected/paths.out
1516

1617
# the db name is hard-coded in the tests

‎contrib/dblink/expected/dblink.out

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -809,7 +809,6 @@ SELECT dblink_disconnect('dtest1');
809809
(1 row)
810810

811811
-- test foreign data wrapper functionality
812-
CREATE USER dblink_regression_test;
813812
CREATE SERVER fdtest FOREIGN DATA WRAPPER dblink_fdw
814813
OPTIONS (dbname 'contrib_regression');
815814
CREATE USER MAPPING FOR public SERVER fdtest
@@ -851,7 +850,6 @@ SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[])
851850
\c - :ORIGINAL_USER
852851
REVOKE USAGE ON FOREIGN SERVER fdtest FROM dblink_regression_test;
853852
REVOKE EXECUTE ON FUNCTION dblink_connect_u(text, text) FROM dblink_regression_test;
854-
DROP USER dblink_regression_test;
855853
DROP USER MAPPING FOR public SERVER fdtest;
856854
DROP SERVER fdtest;
857855
-- test asynchronous notifications

‎contrib/dblink/sql/dblink.sql

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -387,7 +387,6 @@ SELECT dblink_error_message('dtest1');
387387
SELECT dblink_disconnect('dtest1');
388388

389389
-- test foreign data wrapper functionality
390-
CREATEUSERdblink_regression_test;
391390
CREATE SERVER fdtest FOREIGN DATA WRAPPER dblink_fdw
392391
OPTIONS (dbname'contrib_regression');
393392
CREATEUSERMAPPING FOR public SERVER fdtest
@@ -408,7 +407,6 @@ SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[])
408407
\c- :ORIGINAL_USER
409408
REVOKE USAGEON FOREIGN SERVER fdtestFROM dblink_regression_test;
410409
REVOKE EXECUTEON FUNCTION dblink_connect_u(text,text)FROM dblink_regression_test;
411-
DROPUSER dblink_regression_test;
412410
DROPUSER MAPPING FOR public SERVER fdtest;
413411
DROP SERVER fdtest;
414412

‎contrib/pg_upgrade/test.sh

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,20 @@ set -e
1717
unset MAKEFLAGS
1818
unset MAKELEVEL
1919

20+
# Run a given "initdb" binary and overlay the regression testing
21+
# authentication configuration.
22+
standard_initdb() {
23+
"$1" -N
24+
../../src/test/regress/pg_regress --config-auth"$PGDATA"
25+
}
26+
2027
# Establish how the server will listen for connections
2128
testhost=`uname -s`
2229

2330
case$testhostin
2431
MINGW*)
2532
LISTEN_ADDRESSES="localhost"
26-
PGHOST="";unset PGHOST
33+
PGHOST=localhost
2734
;;
2835
*)
2936
LISTEN_ADDRESSES=""
@@ -49,11 +56,11 @@ case $testhost in
4956
trap'rm -rf "$PGHOST"' 0
5057
trap'exit 3' 1 2 13 15
5158
fi
52-
export PGHOST
5359
;;
5460
esac
5561

5662
POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES -k\"$PGHOST\""
63+
export PGHOST
5764

5865
temp_root=$PWD/tmp_check
5966

@@ -141,7 +148,7 @@ export EXTRA_REGRESS_OPTS
141148
# enable echo so the user can see what is being executed
142149
set -x
143150

144-
$oldbindir/initdb -N
151+
standard_initdb"$oldbindir"/initdb
145152
$oldbindir/pg_ctl start -l"$logdir/postmaster1.log" -o"$POSTMASTER_OPTS" -w
146153
if"$MAKE" -C"$oldsrc" installcheck;then
147154
pg_dumpall -f"$temp_root"/dump1.sql|| pg_dumpall1_status=$?
@@ -181,7 +188,7 @@ fi
181188

182189
PGDATA=$BASE_PGDATA
183190

184-
initdb -N
191+
standard_initdb'initdb'
185192

186193
pg_upgrade$PG_UPGRADE_OPTS -d"${PGDATA}.old" -D"${PGDATA}" -b"$oldbindir" -B"$bindir" -p"$PGPORT" -P"$PGPORT"
187194

‎doc/src/sgml/regress.sgml

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -56,19 +56,6 @@ gmake check
5656
<quote>failure</> represents a serious problem.
5757
</para>
5858

59-
<warning>
60-
<para>
61-
On systems lacking Unix-domain sockets, notably Windows, this test method
62-
starts a temporary server configured to accept any connection originating
63-
on the local machine. Any local user can gain database superuser
64-
privileges when connecting to this server, and could in principle exploit
65-
all privileges of the operating-system user running the tests. Therefore,
66-
it is not recommended that you use <literal>gmake check</> on an affected
67-
system shared with untrusted users. Instead, run the tests after
68-
completing the installation, as described in the next section.
69-
</para>
70-
</warning>
71-
7259
<para>
7360
Because this test method runs a temporary server, it will not work
7461
if you did the build as the root user, since the server will not start as

‎src/test/regress/pg_regress.c

Lines changed: 170 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,7 @@ static char *dlpath = PKGLIBDIR;
104104
staticchar*user=NULL;
105105
static_stringlist*extraroles=NULL;
106106
static_stringlist*extra_install=NULL;
107+
staticchar*config_auth_datadir=NULL;
107108

108109
/* internal variables */
109110
staticconstchar*progname;
@@ -971,6 +972,150 @@ initialize_environment(void)
971972
load_resultmap();
972973
}
973974

975+
#ifdefENABLE_SSPI
976+
/*
977+
* Get account and domain/realm names for the current user. This is based on
978+
* pg_SSPI_recvauth(). The returned strings use static storage.
979+
*/
980+
staticvoid
981+
current_windows_user(constchar**acct,constchar**dom)
982+
{
983+
staticcharaccountname[MAXPGPATH];
984+
staticchardomainname[MAXPGPATH];
985+
HANDLEtoken;
986+
TOKEN_USER*tokenuser;
987+
DWORDretlen;
988+
DWORDaccountnamesize=sizeof(accountname);
989+
DWORDdomainnamesize=sizeof(domainname);
990+
SID_NAME_USEaccountnameuse;
991+
992+
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_READ,&token))
993+
{
994+
fprintf(stderr,
995+
_("%s: could not open process token: error code %lu\n"),
996+
progname,GetLastError());
997+
exit(2);
998+
}
999+
1000+
if (!GetTokenInformation(token,TokenUser,NULL,0,&retlen)&&GetLastError()!=122)
1001+
{
1002+
fprintf(stderr,
1003+
_("%s: could not get token user size: error code %lu\n"),
1004+
progname,GetLastError());
1005+
exit(2);
1006+
}
1007+
tokenuser=malloc(retlen);
1008+
if (!GetTokenInformation(token,TokenUser,tokenuser,retlen,&retlen))
1009+
{
1010+
fprintf(stderr,
1011+
_("%s: could not get token user: error code %lu\n"),
1012+
progname,GetLastError());
1013+
exit(2);
1014+
}
1015+
1016+
if (!LookupAccountSid(NULL,tokenuser->User.Sid,accountname,&accountnamesize,
1017+
domainname,&domainnamesize,&accountnameuse))
1018+
{
1019+
fprintf(stderr,
1020+
_("%s: could not look up account SID: error code %lu\n"),
1021+
progname,GetLastError());
1022+
exit(2);
1023+
}
1024+
1025+
free(tokenuser);
1026+
1027+
*acct=accountname;
1028+
*dom=domainname;
1029+
}
1030+
1031+
/*
1032+
* Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit
1033+
* the current OS user to authenticate as the bootstrap superuser and as any
1034+
* user named in a --create-role option.
1035+
*/
1036+
staticvoid
1037+
config_sspi_auth(constchar*pgdata)
1038+
{
1039+
constchar*accountname,
1040+
*domainname;
1041+
charusername[128];
1042+
DWORDsz=sizeof(username)-1;
1043+
charfname[MAXPGPATH];
1044+
intres;
1045+
FILE*hba,
1046+
*ident;
1047+
_stringlist*sl;
1048+
1049+
/*
1050+
* "username", the initdb-chosen bootstrap superuser name, may always
1051+
* match "accountname", the value SSPI authentication discovers. The
1052+
* underlying system functions do not clearly guarantee that.
1053+
*/
1054+
current_windows_user(&accountname,&domainname);
1055+
if (!GetUserName(username,&sz))
1056+
{
1057+
fprintf(stderr,_("%s: could not get current user name: %s\n"),
1058+
progname,strerror(errno));
1059+
exit(2);
1060+
}
1061+
1062+
/* Check a Write outcome and report any error. */
1063+
#defineCW(cond)\
1064+
do { \
1065+
if (!(cond)) \
1066+
{ \
1067+
fprintf(stderr, _("%s: could not write to file \"%s\": %s\n"), \
1068+
progname, fname, strerror(errno)); \
1069+
exit(2); \
1070+
} \
1071+
} while (0)
1072+
1073+
res=snprintf(fname,sizeof(fname),"%s/pg_hba.conf",pgdata);
1074+
if (res<0||res >=sizeof(fname)-1)
1075+
{
1076+
/*
1077+
* Truncating this name is a fatal error, because we must not fail to
1078+
* overwrite an original trust-authentication pg_hba.conf.
1079+
*/
1080+
fprintf(stderr,_("%s: directory name too long\n"),progname);
1081+
exit(2);
1082+
}
1083+
hba=fopen(fname,"w");
1084+
if (hba==NULL)
1085+
{
1086+
fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),
1087+
progname,fname,strerror(errno));
1088+
exit(2);
1089+
}
1090+
CW(fputs("# Configuration written by config_sspi_auth()\n",hba) >=0);
1091+
CW(fputs("host all all 127.0.0.1/32 sspi include_realm=1 map=regress\n",
1092+
hba) >=0);
1093+
CW(fclose(hba)==0);
1094+
1095+
snprintf(fname,sizeof(fname),"%s/pg_ident.conf",pgdata);
1096+
ident=fopen(fname,"w");
1097+
if (ident==NULL)
1098+
{
1099+
fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),
1100+
progname,fname,strerror(errno));
1101+
exit(2);
1102+
}
1103+
CW(fputs("# Configuration written by config_sspi_auth()\n",ident) >=0);
1104+
1105+
/*
1106+
* Double-quote for the benefit of account names containing whitespace or
1107+
* '#'. Windows forbids the double-quote character itself, so don't
1108+
* bother escaping embedded double-quote characters.
1109+
*/
1110+
CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",
1111+
accountname,domainname,username) >=0);
1112+
for (sl=extraroles;sl;sl=sl->next)
1113+
CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",
1114+
accountname,domainname,sl->str) >=0);
1115+
CW(fclose(ident)==0);
1116+
}
1117+
#endif
1118+
9741119
/*
9751120
* Issue a command via psql, connecting to the specified database
9761121
*
@@ -1970,6 +2115,7 @@ help(void)
19702115
printf(_("Usage:\n %s [OPTION]... [EXTRA-TEST]...\n"),progname);
19712116
printf(_("\n"));
19722117
printf(_("Options:\n"));
2118+
printf(_(" --config-auth=DATADIR update authentication settings for DATADIR\n"));
19732119
printf(_(" --create-role=ROLE create the specified role before testing\n"));
19742120
printf(_(" --dbname=DB use database DB (default \"regression\")\n"));
19752121
printf(_(" --debug turn on debug mode in programs that are run\n"));
@@ -2036,6 +2182,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
20362182
{"launcher",required_argument,NULL,21},
20372183
{"load-extension",required_argument,NULL,22},
20382184
{"extra-install",required_argument,NULL,23},
2185+
{"config-auth",required_argument,NULL,24},
20392186
{NULL,0,NULL,0}
20402187
};
20412188

@@ -2150,6 +2297,9 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
21502297
case23:
21512298
add_stringlist_item(&extra_install,optarg);
21522299
break;
2300+
case24:
2301+
config_auth_datadir=pstrdup(optarg);
2302+
break;
21532303
default:
21542304
/* getopt_long already emitted a complaint */
21552305
fprintf(stderr,_("\nTry \"%s -h\" for more information.\n"),
@@ -2167,6 +2317,14 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
21672317
optind++;
21682318
}
21692319

2320+
if (config_auth_datadir)
2321+
{
2322+
#ifdefENABLE_SSPI
2323+
config_sspi_auth(config_auth_datadir);
2324+
#endif
2325+
exit(0);
2326+
}
2327+
21702328
if (temp_install&& !port_specified_by_user)
21712329

21722330
/*
@@ -2307,6 +2465,18 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
23072465

23082466
fclose(pg_conf);
23092467

2468+
#ifdefENABLE_SSPI
2469+
2470+
/*
2471+
* Since we successfully used the same buffer for the much-longer
2472+
* "initdb" command, this can't truncate.
2473+
*/
2474+
snprintf(buf,sizeof(buf),"%s/data",temp_install);
2475+
config_sspi_auth(buf);
2476+
#elif !defined(HAVE_UNIX_SOCKETS)
2477+
#error Platform has no means to secure the test installation.
2478+
#endif
2479+
23102480
/*
23112481
* Check if there is a postmaster running already.
23122482
*/

‎src/tools/msvc/vcregress.pl

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -242,6 +242,15 @@ sub contribcheck
242242
exit$mstatif$mstat;
243243
}
244244

245+
# Run "initdb", then reconfigure authentication.
246+
substandard_initdb
247+
{
248+
return (
249+
system('initdb','-N') == 0andsystem(
250+
"$topdir/$Config/pg_regress/pg_regress",'--config-auth',
251+
$ENV{PGDATA}) == 0);
252+
}
253+
245254
subupgradecheck
246255
{
247256
my$status;
@@ -253,6 +262,7 @@ sub upgradecheck
253262
# i.e. only this version to this version check. That's
254263
# what pg_upgrade's "make check" does.
255264

265+
$ENV{PGHOST} ='localhost';
256266
$ENV{PGPORT} ||= 50432;
257267
my$tmp_root ="$topdir/contrib/pg_upgrade/tmp_check";
258268
(mkdir$tmp_root ||die$!)unless-d$tmp_root;
@@ -270,7 +280,7 @@ sub upgradecheck
270280
my$logdir ="$topdir/contrib/pg_upgrade/log";
271281
(mkdir$logdir ||die$!)unless-d$logdir;
272282
print"\nRunning initdb on old cluster\n\n";
273-
system("initdb") == 0orexit 1;
283+
standard_initdb()orexit 1;
274284
print"\nStarting old cluster\n\n";
275285
system("pg_ctl start -l$logdir/postmaster1.log -w") == 0orexit 1;
276286
print"\nSetting up data for upgrading\n\n";
@@ -284,7 +294,7 @@ sub upgradecheck
284294
system("pg_ctl -m fast stop") == 0orexit 1;
285295
$ENV{PGDATA} ="$data";
286296
print"\nSetting up new cluster\n\n";
287-
system("initdb") == 0orexit 1;
297+
standard_initdb()orexit 1;
288298
print"\nRunning pg_upgrade\n\n";
289299
system("pg_upgrade -d$data.old -D$data -b$bindir -B$bindir") == 0
290300
orexit 1;

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp