Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf6dc6dd

Browse files
committed
Lock down regression testing temporary clusters on Windows.
Use SSPI authentication to allow connections exclusively from the OSuser that launched the test suite. This closes on Windows thevulnerability that commitbe76a6dclosed on other platforms. Users of "make installcheck" or custom testharnesses can run "pg_regress --config-auth=DATADIR" to activate thesame authentication configuration that "make check" would use.Back-patch to 9.0 (all supported versions).Security:CVE-2014-0067
1 parentfc2ac1f commitf6dc6dd

File tree

8 files changed

+211
-23
lines changed

8 files changed

+211
-23
lines changed

‎contrib/pg_upgrade/test.sh

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,20 @@ set -e
1717
unset MAKEFLAGS
1818
unset MAKELEVEL
1919

20+
# Run a given "initdb" binary and overlay the regression testing
21+
# authentication configuration.
22+
standard_initdb() {
23+
"$1" -N
24+
../../src/test/regress/pg_regress --config-auth"$PGDATA"
25+
}
26+
2027
# Establish how the server will listen for connections
2128
testhost=`uname -s`
2229

2330
case$testhostin
2431
MINGW*)
2532
LISTEN_ADDRESSES="localhost"
26-
PGHOST="";unset PGHOST
33+
PGHOST=localhost
2734
;;
2835
*)
2936
LISTEN_ADDRESSES=""
@@ -49,11 +56,11 @@ case $testhost in
4956
trap'rm -rf "$PGHOST"' 0
5057
trap'exit 3' 1 2 13 15
5158
fi
52-
export PGHOST
5359
;;
5460
esac
5561

5662
POSTMASTER_OPTS="-F -c listen_addresses=$LISTEN_ADDRESSES -k\"$PGHOST\""
63+
export PGHOST
5764

5865
temp_root=$PWD/tmp_check
5966

@@ -141,7 +148,7 @@ export EXTRA_REGRESS_OPTS
141148
# enable echo so the user can see what is being executed
142149
set -x
143150

144-
"$oldbindir"/initdb -N
151+
standard_initdb"$oldbindir"/initdb
145152
"$oldbindir"/pg_ctl start -l"$logdir/postmaster1.log" -o"$POSTMASTER_OPTS" -w
146153
if"$MAKE" -C"$oldsrc" installcheck;then
147154
pg_dumpall -f"$temp_root"/dump1.sql|| pg_dumpall1_status=$?
@@ -181,7 +188,7 @@ fi
181188

182189
PGDATA=$BASE_PGDATA
183190

184-
initdb -N
191+
standard_initdb'initdb'
185192

186193
pg_upgrade$PG_UPGRADE_OPTS -d"${PGDATA}.old" -D"${PGDATA}" -b"$oldbindir" -B"$bindir" -p"$PGPORT" -P"$PGPORT"
187194

‎doc/src/sgml/regress.sgml

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -56,19 +56,6 @@ make check
5656
<quote>failure</> represents a serious problem.
5757
</para>
5858

59-
<warning>
60-
<para>
61-
On systems lacking Unix-domain sockets, notably Windows, this test method
62-
starts a temporary server configured to accept any connection originating
63-
on the local machine. Any local user can gain database superuser
64-
privileges when connecting to this server, and could in principle exploit
65-
all privileges of the operating-system user running the tests. Therefore,
66-
it is not recommended that you use <literal>make check</> on an affected
67-
system shared with untrusted users. Instead, run the tests after
68-
completing the installation, as described in the next section.
69-
</para>
70-
</warning>
71-
7259
<para>
7360
Because this test method runs a temporary server, it will not work
7461
if you did the build as the root user, since the server will not start as

‎src/Makefile.global.in

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -323,7 +323,7 @@ endef
323323
defineprove_check
324324
$(MKDIR_P) tmp_check/log
325325
$(MAKE) -C$(top_builddir) DESTDIR='$(CURDIR)'/tmp_check/install install >'$(CURDIR)'/tmp_check/log/install.log 2>&1
326-
cd$(srcdir) && TESTDIR='$(CURDIR)' PATH="$(CURDIR)/tmp_check/install$(bindir):$$PATH"$(call add_to_path,$(ld_library_path_var),$(CURDIR)/tmp_check/install$(libdir)) PGPORT='6$(DEF_PGPORT)'$(PROVE)$(PG_PROVE_FLAGS)$(PROVE_FLAGS) t/*.pl
326+
cd$(srcdir) && TESTDIR='$(CURDIR)' PATH="$(CURDIR)/tmp_check/install$(bindir):$$PATH"$(call add_to_path,$(ld_library_path_var),$(CURDIR)/tmp_check/install$(libdir))top_srcdir='$(top_srcdir)'PGPORT='6$(DEF_PGPORT)'$(PROVE)$(PG_PROVE_FLAGS)$(PROVE_FLAGS) t/*.pl
327327
endef
328328

329329
else

‎src/bin/pg_ctl/t/001_start_stop.pl

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
use strict;
22
use warnings;
33
use TestLib;
4-
use Test::Moretests=>16;
4+
use Test::Moretests=>17;
55

66
my$tempdir = TestLib::tempdir;
77
my$tempdir_short = TestLib::tempdir_short;
@@ -14,6 +14,10 @@
1414
1,'pg_ctl start with nonexistent directory');
1515

1616
command_ok(['pg_ctl','initdb','-D',"$tempdir/data" ],'pg_ctl initdb');
17+
command_ok(
18+
["$ENV{top_srcdir}/src/test/regress/pg_regress",'--config-auth',
19+
"$tempdir/data" ],
20+
'configure authentication');
1721
open CONF,">>$tempdir/data/postgresql.conf";
1822
print CONF"listen_addresses = ''\n";
1923
print CONF"unix_socket_directories = '$tempdir_short'\n";

‎src/bin/pg_ctl/t/002_status.pl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
command_exit_is(['pg_ctl','status','-D',"$tempdir/nonexistent" ],
1010
4,'pg_ctl status with nonexistent directory');
1111

12-
system_or_bail"initdb -D '$tempdir'/data -A trust >/dev/null";
12+
standard_initdb"$tempdir/data";
1313
open CONF,">>$tempdir/data/postgresql.conf";
1414
print CONF"listen_addresses = ''\n";
1515
print CONF"unix_socket_directories = '$tempdir_short'\n";

‎src/test/perl/TestLib.pm

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ use Exporter 'import';
77
our@EXPORT =qw(
88
tempdir
99
tempdir_short
10+
standard_initdb
1011
start_test_server
1112
restart_test_server
1213
psql
@@ -69,6 +70,14 @@ sub tempdir_short
6970
return File::Temp::tempdir(CLEANUP=> 1);
7071
}
7172

73+
substandard_initdb
74+
{
75+
my$pgdata =shift;
76+
system_or_bail("initdb -D '$pgdata' -A trust -N >/dev/null");
77+
system_or_bail("$ENV{top_srcdir}/src/test/regress/pg_regress",
78+
'--config-auth',$pgdata);
79+
}
80+
7281
my ($test_server_datadir,$test_server_logfile);
7382

7483
substart_test_server
@@ -78,7 +87,7 @@ sub start_test_server
7887

7988
my$tempdir_short = tempdir_short;
8089

81-
system"initdb -D '$tempdir'/pgdata -A trust -N >/dev/null";
90+
standard_initdb"$tempdir/pgdata";
8291
$ret =system'pg_ctl','-D',"$tempdir/pgdata",'-s','-w','-l',
8392
"$tempdir/logfile",'-o',
8493
"--fsync=off -k$tempdir_short --listen-addresses='' --log-statement=all",

‎src/test/regress/pg_regress.c

Lines changed: 171 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
#include<sys/resource.h>
3030
#endif
3131

32+
#include"common/username.h"
3233
#include"getopt_long.h"
3334
#include"libpq/pqcomm.h"/* needed for UNIXSOCK_PATH() */
3435
#include"pg_config_paths.h"
@@ -104,6 +105,7 @@ static char *dlpath = PKGLIBDIR;
104105
staticchar*user=NULL;
105106
static_stringlist*extraroles=NULL;
106107
static_stringlist*extra_install=NULL;
108+
staticchar*config_auth_datadir=NULL;
107109

108110
/* internal variables */
109111
staticconstchar*progname;
@@ -965,6 +967,150 @@ initialize_environment(void)
965967
load_resultmap();
966968
}
967969

970+
#ifdefENABLE_SSPI
971+
/*
972+
* Get account and domain/realm names for the current user. This is based on
973+
* pg_SSPI_recvauth(). The returned strings use static storage.
974+
*/
975+
staticvoid
976+
current_windows_user(constchar**acct,constchar**dom)
977+
{
978+
staticcharaccountname[MAXPGPATH];
979+
staticchardomainname[MAXPGPATH];
980+
HANDLEtoken;
981+
TOKEN_USER*tokenuser;
982+
DWORDretlen;
983+
DWORDaccountnamesize=sizeof(accountname);
984+
DWORDdomainnamesize=sizeof(domainname);
985+
SID_NAME_USEaccountnameuse;
986+
987+
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_READ,&token))
988+
{
989+
fprintf(stderr,
990+
_("%s: could not open process token: error code %lu\n"),
991+
progname,GetLastError());
992+
exit(2);
993+
}
994+
995+
if (!GetTokenInformation(token,TokenUser,NULL,0,&retlen)&&GetLastError()!=122)
996+
{
997+
fprintf(stderr,
998+
_("%s: could not get token user size: error code %lu\n"),
999+
progname,GetLastError());
1000+
exit(2);
1001+
}
1002+
tokenuser=malloc(retlen);
1003+
if (!GetTokenInformation(token,TokenUser,tokenuser,retlen,&retlen))
1004+
{
1005+
fprintf(stderr,
1006+
_("%s: could not get token user: error code %lu\n"),
1007+
progname,GetLastError());
1008+
exit(2);
1009+
}
1010+
1011+
if (!LookupAccountSid(NULL,tokenuser->User.Sid,accountname,&accountnamesize,
1012+
domainname,&domainnamesize,&accountnameuse))
1013+
{
1014+
fprintf(stderr,
1015+
_("%s: could not look up account SID: error code %lu\n"),
1016+
progname,GetLastError());
1017+
exit(2);
1018+
}
1019+
1020+
free(tokenuser);
1021+
1022+
*acct=accountname;
1023+
*dom=domainname;
1024+
}
1025+
1026+
/*
1027+
* Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit
1028+
* the current OS user to authenticate as the bootstrap superuser and as any
1029+
* user named in a --create-role option.
1030+
*/
1031+
staticvoid
1032+
config_sspi_auth(constchar*pgdata)
1033+
{
1034+
constchar*accountname,
1035+
*domainname;
1036+
constchar*username;
1037+
char*errstr;
1038+
charfname[MAXPGPATH];
1039+
intres;
1040+
FILE*hba,
1041+
*ident;
1042+
_stringlist*sl;
1043+
1044+
/*
1045+
* "username", the initdb-chosen bootstrap superuser name, may always
1046+
* match "accountname", the value SSPI authentication discovers. The
1047+
* underlying system functions do not clearly guarantee that.
1048+
*/
1049+
current_windows_user(&accountname,&domainname);
1050+
username=get_user_name(&errstr);
1051+
if (username==NULL)
1052+
{
1053+
fprintf(stderr,"%s: %s\n",progname,errstr);
1054+
exit(2);
1055+
}
1056+
1057+
/* Check a Write outcome and report any error. */
1058+
#defineCW(cond)\
1059+
do { \
1060+
if (!(cond)) \
1061+
{ \
1062+
fprintf(stderr, _("%s: could not write to file \"%s\": %s\n"), \
1063+
progname, fname, strerror(errno)); \
1064+
exit(2); \
1065+
} \
1066+
} while (0)
1067+
1068+
res=snprintf(fname,sizeof(fname),"%s/pg_hba.conf",pgdata);
1069+
if (res<0||res >=sizeof(fname)-1)
1070+
{
1071+
/*
1072+
* Truncating this name is a fatal error, because we must not fail to
1073+
* overwrite an original trust-authentication pg_hba.conf.
1074+
*/
1075+
fprintf(stderr,_("%s: directory name too long\n"),progname);
1076+
exit(2);
1077+
}
1078+
hba=fopen(fname,"w");
1079+
if (hba==NULL)
1080+
{
1081+
fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),
1082+
progname,fname,strerror(errno));
1083+
exit(2);
1084+
}
1085+
CW(fputs("# Configuration written by config_sspi_auth()\n",hba) >=0);
1086+
CW(fputs("host all all 127.0.0.1/32 sspi include_realm=1 map=regress\n",
1087+
hba) >=0);
1088+
CW(fclose(hba)==0);
1089+
1090+
snprintf(fname,sizeof(fname),"%s/pg_ident.conf",pgdata);
1091+
ident=fopen(fname,"w");
1092+
if (ident==NULL)
1093+
{
1094+
fprintf(stderr,_("%s: could not open file \"%s\" for writing: %s\n"),
1095+
progname,fname,strerror(errno));
1096+
exit(2);
1097+
}
1098+
CW(fputs("# Configuration written by config_sspi_auth()\n",ident) >=0);
1099+
1100+
/*
1101+
* Double-quote for the benefit of account names containing whitespace or
1102+
* '#'. Windows forbids the double-quote character itself, so don't
1103+
* bother escaping embedded double-quote characters.
1104+
*/
1105+
CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",
1106+
accountname,domainname,username) >=0);
1107+
for (sl=extraroles;sl;sl=sl->next)
1108+
CW(fprintf(ident,"regress \"%s@%s\" \"%s\"\n",
1109+
accountname,domainname,sl->str) >=0);
1110+
CW(fclose(ident)==0);
1111+
}
1112+
#endif
1113+
9681114
/*
9691115
* Issue a command via psql, connecting to the specified database
9701116
*
@@ -1957,6 +2103,7 @@ help(void)
19572103
printf(_("Usage:\n %s [OPTION]... [EXTRA-TEST]...\n"),progname);
19582104
printf(_("\n"));
19592105
printf(_("Options:\n"));
2106+
printf(_(" --config-auth=DATADIR update authentication settings for DATADIR\n"));
19602107
printf(_(" --create-role=ROLE create the specified role before testing\n"));
19612108
printf(_(" --dbname=DB use database DB (default \"regression\")\n"));
19622109
printf(_(" --debug turn on debug mode in programs that are run\n"));
@@ -2023,6 +2170,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
20232170
{"launcher",required_argument,NULL,21},
20242171
{"load-extension",required_argument,NULL,22},
20252172
{"extra-install",required_argument,NULL,23},
2173+
{"config-auth",required_argument,NULL,24},
20262174
{NULL,0,NULL,0}
20272175
};
20282176

@@ -2137,6 +2285,9 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
21372285
case23:
21382286
add_stringlist_item(&extra_install,optarg);
21392287
break;
2288+
case24:
2289+
config_auth_datadir=pstrdup(optarg);
2290+
break;
21402291
default:
21412292
/* getopt_long already emitted a complaint */
21422293
fprintf(stderr,_("\nTry \"%s -h\" for more information.\n"),
@@ -2154,6 +2305,14 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
21542305
optind++;
21552306
}
21562307

2308+
if (config_auth_datadir)
2309+
{
2310+
#ifdefENABLE_SSPI
2311+
config_sspi_auth(config_auth_datadir);
2312+
#endif
2313+
exit(0);
2314+
}
2315+
21572316
if (temp_install&& !port_specified_by_user)
21582317

21592318
/*
@@ -2298,6 +2457,18 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
22982457

22992458
fclose(pg_conf);
23002459

2460+
#ifdefENABLE_SSPI
2461+
2462+
/*
2463+
* Since we successfully used the same buffer for the much-longer
2464+
* "initdb" command, this can't truncate.
2465+
*/
2466+
snprintf(buf,sizeof(buf),"%s/data",temp_install);
2467+
config_sspi_auth(buf);
2468+
#elif !defined(HAVE_UNIX_SOCKETS)
2469+
#error Platform has no means to secure the test installation.
2470+
#endif
2471+
23012472
/*
23022473
* Check if there is a postmaster running already.
23032474
*/

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp