Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbe76a6d

Browse files
committed
Secure Unix-domain sockets of "make check" temporary clusters.
Any OS user able to access the socket can connect as the bootstrapsuperuser and proceed to execute arbitrary code as the OS user runningthe test. Protect against that by placing the socket in a temporary,mode-0700 subdirectory of /tmp. The pg_regress-based test suites andthe pg_upgrade test suite were vulnerable; the $(prove_check)-based testsuites were already secure. Back-patch to 8.4 (all supported versions).The hazard remains wherever the temporary cluster accepts TCPconnections, notably on Windows.As a convenient side effect, this lets testing proceed smoothly inbuilds that override DEFAULT_PGSOCKET_DIR. Popular non-default valueslike /var/run/postgresql are often unwritable to the build user.Security:CVE-2014-0067
1 parent9e6b1bf commitbe76a6d

File tree

3 files changed

+143
-28
lines changed

3 files changed

+143
-28
lines changed

‎contrib/pg_upgrade/test.sh

Lines changed: 32 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,15 +17,43 @@ set -e
1717
unset MAKEFLAGS
1818
unset MAKELEVEL
1919

20-
#Set listen_addresses desirably
20+
#Establish how the server will listen for connections
2121
testhost=`uname -s`
2222

2323
case$testhostin
24-
MINGW*)LISTEN_ADDRESSES="localhost" ;;
25-
*)LISTEN_ADDRESSES="" ;;
24+
MINGW*)
25+
LISTEN_ADDRESSES="localhost"
26+
PGHOST="";unset PGHOST
27+
;;
28+
*)
29+
LISTEN_ADDRESSES=""
30+
# Select a socket directory. The algorithm is from the "configure"
31+
# script; the outcome mimics pg_regress.c:make_temp_sockdir().
32+
PGHOST=$PG_REGRESS_SOCK_DIR
33+
if ["x$PGHOST"= x ];then
34+
{
35+
dir=`(umask 077&&
36+
mktemp -d /tmp/pg_upgrade_check-XXXXXX)2>/dev/null`&&
37+
[-d"$dir" ]
38+
}||
39+
{
40+
dir=/tmp/pg_upgrade_check-$$-$RANDOM
41+
(umask 077&& mkdir"$dir")
42+
}||
43+
{
44+
echo"could not create socket temporary directory in\"/tmp\""
45+
exit 1
46+
}
47+
48+
PGHOST=$dir
49+
trap'rm -rf "$PGHOST"' 0
50+
trap'exit 3' 1 2 13 15
51+
fi
52+
export PGHOST
53+
;;
2654
esac
2755

28-
POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES"
56+
POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES -k\"$PGHOST\""
2957

3058
temp_root=$PWD/tmp_check
3159

@@ -86,7 +114,6 @@ PGSERVICE=""; unset PGSERVICE
86114
PGSSLMODE="";unset PGSSLMODE
87115
PGREQUIRESSL="";unset PGREQUIRESSL
88116
PGCONNECT_TIMEOUT="";unset PGCONNECT_TIMEOUT
89-
PGHOST="";unset PGHOST
90117
PGHOSTADDR="";unset PGHOSTADDR
91118

92119
# Select a non-conflicting port number, similarly to pg_regress.c

‎doc/src/sgml/regress.sgml

Lines changed: 8 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -58,21 +58,14 @@ make check
5858

5959
<warning>
6060
<para>
61-
This test method starts a temporary server, which is configured to accept
62-
any connection originating on the local machine. Any local user can gain
63-
database superuser privileges when connecting to this server, and could
64-
in principle exploit all privileges of the operating-system user running
65-
the tests. Therefore, it is not recommended that you use <literal>make
66-
check</> on machines shared with untrusted users. Instead, run the tests
67-
after completing the installation, as described in the next section.
68-
</para>
69-
70-
<para>
71-
On Unix-like machines, this danger can be avoided if the temporary
72-
server's socket file is made inaccessible to other users, for example
73-
by running the tests in a protected chroot. On Windows, the temporary
74-
server opens a locally-accessible TCP socket, so filesystem protections
75-
cannot help.
61+
On systems lacking Unix-domain sockets, notably Windows, this test method
62+
starts a temporary server configured to accept any connection originating
63+
on the local machine. Any local user can gain database superuser
64+
privileges when connecting to this server, and could in principle exploit
65+
all privileges of the operating-system user running the tests. Therefore,
66+
it is not recommended that you use <literal>make check</> on an affected
67+
system shared with untrusted users. Instead, run the tests after
68+
completing the installation, as described in the next section.
7669
</para>
7770
</warning>
7871

‎src/test/regress/pg_regress.c

Lines changed: 103 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
#endif
3131

3232
#include"getopt_long.h"
33+
#include"libpq/pqcomm.h"/* needed for UNIXSOCK_PATH() */
3334
#include"pg_config_paths.h"
3435

3536
/* for resultmap we need a list of pairs of strings */
@@ -109,6 +110,12 @@ static const char *progname;
109110
staticchar*logfilename;
110111
staticFILE*logfile;
111112
staticchar*difffilename;
113+
staticconstchar*sockdir;
114+
#ifdefHAVE_UNIX_SOCKETS
115+
staticconstchar*temp_sockdir;
116+
staticcharsockself[MAXPGPATH];
117+
staticcharsocklock[MAXPGPATH];
118+
#endif
112119

113120
static_resultmap*resultmap=NULL;
114121

@@ -307,6 +314,82 @@ stop_postmaster(void)
307314
}
308315
}
309316

317+
#ifdefHAVE_UNIX_SOCKETS
318+
/*
319+
* Remove the socket temporary directory. pg_regress never waits for a
320+
* postmaster exit, so it is indeterminate whether the postmaster has yet to
321+
* unlink the socket and lock file. Unlink them here so we can proceed to
322+
* remove the directory. Ignore errors; leaking a temporary directory is
323+
* unimportant. This can run from a signal handler. The code is not
324+
* acceptable in a Windows signal handler (see initdb.c:trapsig()), but
325+
* Windows is not a HAVE_UNIX_SOCKETS platform.
326+
*/
327+
staticvoid
328+
remove_temp(void)
329+
{
330+
Assert(temp_sockdir);
331+
unlink(sockself);
332+
unlink(socklock);
333+
rmdir(temp_sockdir);
334+
}
335+
336+
/*
337+
* Signal handler that calls remove_temp() and reraises the signal.
338+
*/
339+
staticvoid
340+
signal_remove_temp(intsignum)
341+
{
342+
remove_temp();
343+
344+
pqsignal(signum,SIG_DFL);
345+
raise(signum);
346+
}
347+
348+
/*
349+
* Create a temporary directory suitable for the server's Unix-domain socket.
350+
* The directory will have mode 0700 or stricter, so no other OS user can open
351+
* our socket to exploit our use of trust authentication. Most systems
352+
* constrain the length of socket paths well below _POSIX_PATH_MAX, so we
353+
* place the directory under /tmp rather than relative to the possibly-deep
354+
* current working directory.
355+
*
356+
* Compared to using the compiled-in DEFAULT_PGSOCKET_DIR, this also permits
357+
* testing to work in builds that relocate it to a directory not writable to
358+
* the build/test user.
359+
*/
360+
staticconstchar*
361+
make_temp_sockdir(void)
362+
{
363+
char*template=strdup("/tmp/pg_regress-XXXXXX");
364+
365+
temp_sockdir=mkdtemp(template);
366+
if (temp_sockdir==NULL)
367+
{
368+
fprintf(stderr,_("%s: could not create directory \"%s\": %s\n"),
369+
progname,template,strerror(errno));
370+
exit(2);
371+
}
372+
373+
/* Stage file names for remove_temp(). Unsafe in a signal handler. */
374+
UNIXSOCK_PATH(sockself,port,temp_sockdir);
375+
snprintf(socklock,sizeof(socklock),"%s.lock",sockself);
376+
377+
/* Remove the directory during clean exit. */
378+
atexit(remove_temp);
379+
380+
/*
381+
* Remove the directory before dying to the usual signals. Omit SIGQUIT,
382+
* preserving it as a quick, untidy exit.
383+
*/
384+
pqsignal(SIGHUP,signal_remove_temp);
385+
pqsignal(SIGINT,signal_remove_temp);
386+
pqsignal(SIGPIPE,signal_remove_temp);
387+
pqsignal(SIGTERM,signal_remove_temp);
388+
389+
returntemp_sockdir;
390+
}
391+
#endif/* HAVE_UNIX_SOCKETS */
392+
310393
/*
311394
* Check whether string matches pattern
312395
*
@@ -759,8 +842,7 @@ initialize_environment(void)
759842
* the wrong postmaster, or otherwise behave in nondefault ways. (Note
760843
* we also use psql's -X switch consistently, so that ~/.psqlrc files
761844
* won't mess things up.) Also, set PGPORT to the temp port, and set
762-
* or unset PGHOST depending on whether we are using TCP or Unix
763-
* sockets.
845+
* PGHOST depending on whether we are using TCP or Unix sockets.
764846
*/
765847
unsetenv("PGDATABASE");
766848
unsetenv("PGUSER");
@@ -769,10 +851,20 @@ initialize_environment(void)
769851
unsetenv("PGREQUIRESSL");
770852
unsetenv("PGCONNECT_TIMEOUT");
771853
unsetenv("PGDATA");
854+
#ifdefHAVE_UNIX_SOCKETS
772855
if (hostname!=NULL)
773856
doputenv("PGHOST",hostname);
774857
else
775-
unsetenv("PGHOST");
858+
{
859+
sockdir=getenv("PG_REGRESS_SOCK_DIR");
860+
if (!sockdir)
861+
sockdir=make_temp_sockdir();
862+
doputenv("PGHOST",sockdir);
863+
}
864+
#else
865+
Assert(hostname!=NULL);
866+
doputenv("PGHOST",hostname);
867+
#endif
776868
unsetenv("PGHOSTADDR");
777869
if (port!=-1)
778870
{
@@ -2067,7 +2159,9 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
20672159
/*
20682160
* To reduce chances of interference with parallel installations, use
20692161
* a port number starting in the private range (49152-65535)
2070-
* calculated from the version number.
2162+
* calculated from the version number. This aids !HAVE_UNIX_SOCKETS
2163+
* systems; elsewhere, the use of a private socket directory already
2164+
* prevents interference.
20712165
*/
20722166
port=0xC000 | (PG_VERSION_NUM&0x3FFF);
20732167

@@ -2240,10 +2334,11 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
22402334
*/
22412335
header(_("starting postmaster"));
22422336
snprintf(buf,sizeof(buf),
2243-
"\"%s/postgres\" -D \"%s/data\" -F%s -c \"listen_addresses=%s\" > \"%s/log/postmaster.log\" 2>&1",
2244-
bindir,temp_install,
2245-
debug ?" -d 5" :"",
2246-
hostname ?hostname :"",
2337+
"\"%s/postgres\" -D \"%s/data\" -F%s "
2338+
"-c \"listen_addresses=%s\" -k \"%s\" "
2339+
"> \"%s/log/postmaster.log\" 2>&1",
2340+
bindir,temp_install,debug ?" -d 5" :"",
2341+
hostname ?hostname :"",sockdir ?sockdir :"",
22472342
outputdir);
22482343
postmaster_pid=spawn_process(buf);
22492344
if (postmaster_pid==INVALID_PID)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp