Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit6d45ee5

Browse files
committed
Lock down regression testing temporary clusters on Windows.
Use SSPI authentication to allow connections exclusively from the OSuser that launched the test suite. This closes on Windows thevulnerability that commitbe76a6dclosed on other platforms. Users of "make installcheck" or custom testharnesses can run "pg_regress --config-auth=DATADIR" to activate thesame authentication configuration that "make check" would use.Back-patch to 9.0 (all supported versions).Security:CVE-2014-0067
1 parenta2969bd commit6d45ee5

File tree

5 files changed

+177
-18
lines changed

5 files changed

+177
-18
lines changed

‎contrib/dblink/Makefile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@ SHLIB_LINK = $(libpq)
88
DATA_built = dblink.sql
99
DATA = uninstall_dblink.sql
1010
REGRESS = paths dblink
11-
REGRESS_OPTS = --dbname=$(CONTRIB_TESTDB) --dlpath=$(top_builddir)/src/test/regress
11+
REGRESS_OPTS = --dbname=$(CONTRIB_TESTDB) --dlpath=$(top_builddir)/src/test/regress\
12+
--create-role=dblink_regression_test
1213
EXTRA_CLEAN = sql/paths.sql expected/paths.out
1314

1415

‎contrib/dblink/expected/dblink.out

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -817,7 +817,6 @@ SELECT dblink_disconnect('dtest1');
817817
(1 row)
818818

819819
-- test foreign data wrapper functionality
820-
CREATE USER dblink_regression_test;
821820
CREATE FOREIGN DATA WRAPPER postgresql;
822821
CREATE SERVER fdtest FOREIGN DATA WRAPPER postgresql OPTIONS (dbname 'contrib_regression');
823822
CREATE USER MAPPING FOR public SERVER fdtest;
@@ -855,7 +854,6 @@ SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[])
855854
\c - :ORIGINAL_USER
856855
REVOKE USAGE ON FOREIGN SERVER fdtest FROM dblink_regression_test;
857856
REVOKE EXECUTE ON FUNCTION dblink_connect_u(text, text) FROM dblink_regression_test;
858-
DROP USER dblink_regression_test;
859857
DROP USER MAPPING FOR public SERVER fdtest;
860858
DROP SERVER fdtest;
861859
DROP FOREIGN DATA WRAPPER postgresql;

‎contrib/dblink/sql/dblink.sql

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -396,7 +396,6 @@ SELECT dblink_error_message('dtest1');
396396
SELECT dblink_disconnect('dtest1');
397397

398398
-- test foreign data wrapper functionality
399-
CREATEUSERdblink_regression_test;
400399

401400
CREATE FOREIGN DATA WRAPPER postgresql;
402401
CREATE SERVER fdtest FOREIGN DATA WRAPPER postgresql OPTIONS (dbname'contrib_regression');
@@ -415,7 +414,6 @@ SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[])
415414
\c- :ORIGINAL_USER
416415
REVOKE USAGEON FOREIGN SERVER fdtestFROM dblink_regression_test;
417416
REVOKE EXECUTEON FUNCTION dblink_connect_u(text,text)FROM dblink_regression_test;
418-
DROPUSER dblink_regression_test;
419417
DROPUSER MAPPING FOR public SERVER fdtest;
420418
DROP SERVER fdtest;
421419
DROP FOREIGN DATA WRAPPER postgresql;

‎doc/src/sgml/regress.sgml

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -55,19 +55,6 @@ gmake check
5555
<quote>failure</> represents a serious problem.
5656
</para>
5757

58-
<warning>
59-
<para>
60-
On systems lacking Unix-domain sockets, notably Windows, this test method
61-
starts a temporary server configured to accept any connection originating
62-
on the local machine. Any local user can gain database superuser
63-
privileges when connecting to this server, and could in principle exploit
64-
all privileges of the operating-system user running the tests. Therefore,
65-
it is not recommended that you use <literal>gmake check</> on an affected
66-
system shared with untrusted users. Instead, run the tests after
67-
completing the installation, as described in the next section.
68-
</para>
69-
</warning>
70-
7158
<para>
7259
Because this test method runs a temporary server, it will not work
7360
if you did the build as the root user, since the server will not start as

‎src/test/regress/pg_regress.c

Lines changed: 175 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,7 @@ static bool port_specified_by_user = false;
102102
staticchar*dlpath=PKGLIBDIR;
103103
staticchar*user=NULL;
104104
static_stringlist*extraroles=NULL;
105+
staticchar*config_auth_datadir=NULL;
105106

106107
/* internal variables */
107108
staticconstchar*progname;
@@ -974,6 +975,150 @@ initialize_environment(void)
974975
load_resultmap();
975976
}
976977

978+
#ifdefENABLE_SSPI
979+
/*
980+
* Get account and domain/realm names for the current user. This is based on
981+
* pg_SSPI_recvauth(). The returned strings use static storage.
982+
*/
983+
staticvoid
984+
current_windows_user(constchar**acct,constchar**dom)
985+
{
986+
staticcharaccountname[MAXPGPATH];
987+
staticchardomainname[MAXPGPATH];
988+
HANDLEtoken;
989+
TOKEN_USER*tokenuser;
990+
DWORDretlen;
991+
DWORDaccountnamesize=sizeof(accountname);
992+
DWORDdomainnamesize=sizeof(domainname);
993+
SID_NAME_USEaccountnameuse;
994+
995+
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_READ,&token))
996+
{
997+
fprintf(stderr,
998+
_("%s: could not open process token: error code %lu\n"),
999+
progname,GetLastError());
1000+
exit(2);
1001+
}
1002+
1003+
if (!GetTokenInformation(token,TokenUser,NULL,0,&retlen)&&GetLastError()!=122)
1004+
{
1005+
fprintf(stderr,
1006+
_("%s: could not get token user size: error code %lu\n"),
1007+
progname,GetLastError());
1008+
exit(2);
1009+
}
1010+
tokenuser=malloc(retlen);
1011+
if (!GetTokenInformation(token,TokenUser,tokenuser,retlen,&retlen))
1012+
{
1013+
fprintf(stderr,
1014+
_("%s: could not get token user: error code %lu\n"),
1015+
progname,GetLastError());
1016+
exit(2);
1017+
}
1018+
1019+
if (!LookupAccountSid(NULL,tokenuser->User.Sid,accountname,&accountnamesize,
1020+
domainname,&domainnamesize,&accountnameuse))
1021+
{
1022+
fprintf(stderr,
1023+
_("%s: could not look up account SID: error code %lu\n"),
1024+
progname,GetLastError());
1025+
exit(2);
1026+
}
1027+
1028+
free(tokenuser);
1029+
1030+
*acct=accountname;
1031+
*dom=domainname;
1032+
}
1033+
1034+
/*
1035+
* Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit
1036+
* the current OS user to authenticate as the bootstrap superuser and as any
1037+
* user named in a --create-role option.
1038+
*/
1039+
staticvoid
1040+
config_sspi_auth(constchar*pgdata)
1041+
{
1042+
constchar*accountname,
1043+
*domainname;
1044+
charusername[128];
1045+
DWORDsz=sizeof(username)-1;
1046+
charfname[MAXPGPATH];
1047+
intres;
1048+
FILE*hba,
1049+
*ident;
1050+
_stringlist*sl;
1051+
1052+
/*
1053+
* "username", the initdb-chosen bootstrap superuser name, may always
1054+
* match "accountname", the value SSPI authentication discovers. The
1055+
* underlying system functions do not clearly guarantee that.
1056+
*/
1057+
current_windows_user(&accountname,&domainname);
1058+
if (!GetUserName(username,&sz))
1059+
{
1060+
fprintf(stderr,_("%s: could not get current user name: %s\n"),
1061+
progname,strerror(errno));
1062+
exit(2);
1063+
}
1064+
1065+
/* Check a Write outcome and report any error. */
1066+
#defineCW(cond)\
1067+
do { \
1068+
if (!(cond)) \
1069+
{ \
1070+
fprintf(stderr, _("%s: could not write to file \"%s\": %s\n"), \
1071+
progname, fname, strerror(errno)); \
1072+
exit(2); \
1073+
} \
1074+
} while (0)
1075+
1076+
res=snprintf(fname,sizeof(fname),"%s/pg_hba.conf",pgdata);
1077+
if (res<0||res >=sizeof(fname)-1)
1078+
{
1079+
/*
1080+
* Truncating this name is a fatal error, because we must not fail to
1081+
* overwrite an original trust-authentication pg_hba.conf.
1082+
*/
1083+
fprintf(stderr,_("%s: directory name too long\n"),progname);
1084+
exit(2);
1085+
}
1086+
hba=fopen(fname,"w");
1087+
if (hba==NULL)
1088+
{
1089+
fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),
1090+
progname,fname,strerror(errno));
1091+
exit(2);
1092+
}
1093+
CW(fputs("# Configuration written by config_sspi_auth()\n",hba) >=0);
1094+
CW(fputs("host all all 127.0.0.1/32 sspi include_realm=1 map=regress\n",
1095+
hba) >=0);
1096+
CW(fclose(hba)==0);
1097+
1098+
snprintf(fname,sizeof(fname),"%s/pg_ident.conf",pgdata);
1099+
ident=fopen(fname,"w");
1100+
if (ident==NULL)
1101+
{
1102+
fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),
1103+
progname,fname,strerror(errno));
1104+
exit(2);
1105+
}
1106+
CW(fputs("# Configuration written by config_sspi_auth()\n",ident) >=0);
1107+
1108+
/*
1109+
* Double-quote for the benefit of account names containing whitespace or
1110+
* '#'. Windows forbids the double-quote character itself, so don't
1111+
* bother escaping embedded double-quote characters.
1112+
*/
1113+
CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",
1114+
accountname,domainname,username) >=0);
1115+
for (sl=extraroles;sl;sl=sl->next)
1116+
CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",
1117+
accountname,domainname,sl->str) >=0);
1118+
CW(fclose(ident)==0);
1119+
}
1120+
#endif
1121+
9771122
/*
9781123
* Issue a command via psql, connecting to the specified database
9791124
*
@@ -1963,6 +2108,7 @@ help(void)
19632108
printf(_("Usage: %s [options...] [extra tests...]\n"),progname);
19642109
printf(_("\n"));
19652110
printf(_("Options:\n"));
2111+
printf(_(" --config-auth=DATADIR update authentication settings for DATADIR\n"));
19662112
printf(_(" --dbname=DB use database DB (default \"regression\")\n"));
19672113
printf(_(" --debug turn on debug mode in programs that are run\n"));
19682114
printf(_(" --inputdir=DIR take input files from DIR (default \".\")\n"));
@@ -2029,6 +2175,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
20292175
{"create-role",required_argument,NULL,18},
20302176
{"temp-config",required_argument,NULL,19},
20312177
{"use-existing",no_argument,NULL,20},
2178+
{"config-auth",required_argument,NULL,24},
20322179
{NULL,0,NULL,0}
20332180
};
20342181

@@ -2122,6 +2269,14 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
21222269
case20:
21232270
use_existing= true;
21242271
break;
2272+
case24:
2273+
config_auth_datadir=strdup(optarg);
2274+
if (!config_auth_datadir)
2275+
{
2276+
fprintf(stderr,_("out of memory\n"));
2277+
exit(EXIT_FAILURE);
2278+
}
2279+
break;
21252280
default:
21262281
/* getopt_long already emitted a complaint */
21272282
fprintf(stderr,_("\nTry \"%s -h\" for more information.\n"),
@@ -2139,6 +2294,14 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
21392294
optind++;
21402295
}
21412296

2297+
if (config_auth_datadir)
2298+
{
2299+
#ifdefENABLE_SSPI
2300+
config_sspi_auth(config_auth_datadir);
2301+
#endif
2302+
exit(0);
2303+
}
2304+
21422305
if (temp_install&& !port_specified_by_user)
21432306

21442307
/*
@@ -2260,6 +2423,18 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
22602423

22612424
fclose(pg_conf);
22622425

2426+
#ifdefENABLE_SSPI
2427+
2428+
/*
2429+
* Since we successfully used the same buffer for the much-longer
2430+
* "initdb" command, this can't truncate.
2431+
*/
2432+
snprintf(buf,sizeof(buf),"%s/data",temp_install);
2433+
config_sspi_auth(buf);
2434+
#elif !defined(HAVE_UNIX_SOCKETS)
2435+
#error Platform has no means to secure the test installation.
2436+
#endif
2437+
22632438
/*
22642439
* Check if there is a postmaster running already.
22652440
*/

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp