Re: Securing "make check" (CVE-2014-0067)

Поиск
Список
Период
Сортировка
От David Rowley
Тема Re: Securing "make check" (CVE-2014-0067)
Дата
Msg-id CAApHDvo20RrjizJ-8iXxLHUPeMkABP00uojLpe12uH7B4sNAwg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Securing "make check" (CVE-2014-0067)  (Noah Misch <noah@leadboat.com>)
Ответы Re: Securing "make check" (CVE-2014-0067)  (Michael Paquier <michael.paquier@gmail.com>)
Re: Securing "make check" (CVE-2014-0067)  (Noah Misch <noah@leadboat.com>)
Список pgsql-hackers
Дерево обсуждения
On 30 November 2014 at 15:02, Noah Misch <noah@leadboat.com> wrote:
On Sun, Sep 21, 2014 at 02:31:15AM -0400, Noah Misch wrote:
> It then dawned on me that every Windows build of PostgreSQL already has a way
> to limit connections to a particular OS user.  SSPI authentication is
> essentially the Windows equivalent of peer authentication.  A brief trial
> thereof looked promising.  Regression runs will need a pg_ident.conf listing
> each role used in the regression tests.  That's not ideal, but the buildfarm
> will quickly reveal any omissions.  Unless someone sees a problem here, I will
> look at fleshing this out into a complete patch.  I bet it will even turn out
> to be back-patchable.

That worked out nicely.  "pg_regress --temp-install" rewrites pg_ident.conf
and pg_hba.conf such that the current OS user may authenticate as the
bootstrap superuser and as any user named in --create-role.  Suites not using
--temp-install (pg_upgrade, TAP) call "pg_regress --config-auth=DATADIR" to
pick up those same configuration changes.  My hope is that out-of-tree test
harnesses wanting this hardening can do likewise.  On non-Windows systems,
"pg_regress --config-auth" does nothing.



f6dc6dd seems to have broken vcregress check for me:

D:\Postgres\a\src\tools\msvc>vcregress check
============== removing existing temp installation    ==============
============== creating temporary installation        ==============
============== initializing database system           ==============
============== starting postmaster                    ==============

pg_regress: postmaster did not respond within 60 seconds
Examine D:/Postgres/a/src/test/regress/log/postmaster.log for the reason

The postmaster.log reads:

LOG:  database system was shut down at 2014-12-25 15:26:33 NZDT
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
FATAL:  no pg_hba.conf entry for host "::1", user "David", database "postgres"
...
FATAL:  no pg_hba.conf entry for host "::1", user "David", database "postgres"


Having a look at the pg_hba.conf that's been generated by pgregress, it looks like it only adds a line for IPv4 addresses.

I'll admit that I don't have a great understanding of what the SSPI stuff is about, but at least the attached patch seems to fix the problem for me.

Regards

David Rowley

Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Kouhei Kaigai
Дата:
Сообщение: Re: ctidscan as an example of custom-scan (Re: [v9.5] Custom Plan API)
Следующее
От: Michael Paquier
Дата:
Сообщение: Re: Securing "make check" (CVE-2014-0067)