mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-01-06 15:24:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Secure Unix-domain sockets of "make check" temporary clusters."

Browse Source 
About half of the buildfarm members use too-long directory names,
strongly suggesting that this approach is a dead end.
This commit is contained in:
Noah Misch 2014-03-29 03:12:00 -04:00
parent 8cade31dc5
commit a8365a2d2f
2 changed files with 22 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/src/sgml/regress.sgml
View File

@ -57,14 +57,21 @@ gmake check
<warning> <warning>
<para> <para>
On systems lacking Unix-domain sockets, notably Windows, this test method This test method starts a temporary server, which is configured to accept
starts a temporary server configured to accept any connection originating any connection originating on the local machine. Any local user can gain
on the local machine. Any local user can gain database superuser database superuser privileges when connecting to this server, and could
privileges when connecting to this server, and could in principle exploit in principle exploit all privileges of the operating-system user running
all privileges of the operating-system user running the tests. Therefore, the tests. Therefore, it is not recommended that you use <literal>gmake
it is not recommended that you use <literal>gmake check</> on an affected check</> on machines shared with untrusted users. Instead, run the tests
system shared with untrusted users. Instead, run the tests after after completing the installation, as described in the next section.
completing the installation, as described in the next section. </para>
<para>
On Unix-like machines, this danger can be avoided if the temporary
server's socket file is made inaccessible to other users, for example
by running the tests in a protected chroot. On Windows, the temporary
server opens a locally-accessible TCP socket, so filesystem protections
cannot help.
</para> </para>
</warning> </warning>
@ -104,17 +111,6 @@ gmake MAX_CONNECTIONS=10 check
runs no more than ten tests concurrently. runs no more than ten tests concurrently.
</para> </para>
<para>
To protect your operating system user account, the test driver places the
server's socket in a relative subdirectory inaccessible to other users.
Since most systems constrain the length of socket paths well
below <literal>_POSIX_PATH_MAX</>, testing may fail to start from a
directory with a long name. Work around this problem by pointing
the <envar>PG_REGRESS_SOCK_DIR</> environment variable to a substitute
socket directory having a shorter path. On a multi-user system, give that
directory mode <literal>0700</>.
</para>
<para> <para>
To run the tests after installation<![%standalone-ignore;[ (see <xref linkend="installation">)]]>, To run the tests after installation<![%standalone-ignore;[ (see <xref linkend="installation">)]]>,
initialize a data area and start the initialize a data area and start the

32
src/test/regress/pg_regress.c
View File

@ -106,7 +106,6 @@ static const char *progname;
static char *logfilename; static char *logfilename;
static FILE *logfile; static FILE *logfile;
static char *difffilename; static char *difffilename;
static char *sockdir;
static _resultmap *resultmap = NULL; static _resultmap *resultmap = NULL;
@ -764,7 +763,8 @@ initialize_environment(void)
* the wrong postmaster, or otherwise behave in nondefault ways. (Note * the wrong postmaster, or otherwise behave in nondefault ways. (Note
* we also use psql's -X switch consistently, so that ~/.psqlrc files * we also use psql's -X switch consistently, so that ~/.psqlrc files
* won't mess things up.) Also, set PGPORT to the temp port, and set * won't mess things up.) Also, set PGPORT to the temp port, and set
* PGHOST depending on whether we are using TCP or Unix sockets. * or unset PGHOST depending on whether we are using TCP or Unix
* sockets.
*/ */
unsetenv("PGDATABASE"); unsetenv("PGDATABASE");
unsetenv("PGUSER"); unsetenv("PGUSER");
@ -776,24 +776,7 @@ initialize_environment(void)
if (hostname != NULL) if (hostname != NULL)
doputenv("PGHOST", hostname); doputenv("PGHOST", hostname);
else else
{ unsetenv("PGHOST");
sockdir = getenv("PG_REGRESS_SOCK_DIR");
if (!sockdir)
{
/*
* Since initdb creates the data directory with secure
* permissions, we place the socket there. This ensures no
* other OS user can open our socket to exploit our use of
* trust authentication. Compared to using the compiled-in
* DEFAULT_PGSOCKET_DIR, this also permits testing to work in
* builds that relocate it to a directory not writable to the
* build/test user.
*/
sockdir = malloc(strlen(temp_install) + sizeof("/data"));
sprintf(sockdir, "%s/data", temp_install);
}
doputenv("PGHOST", sockdir);
}
unsetenv("PGHOSTADDR"); unsetenv("PGHOSTADDR");
if (port != -1) if (port != -1)
{ {
@ -2220,11 +2203,10 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
*/ */
header(_("starting postmaster")); header(_("starting postmaster"));
snprintf(buf, sizeof(buf), snprintf(buf, sizeof(buf),
SYSTEMQUOTE "\"%s/postgres\" -D \"%s/data\" -F%s " SYSTEMQUOTE "\"%s/postgres\" -D \"%s/data\" -F%s -c \"listen_addresses=%s\" > \"%s/log/postmaster.log\" 2>&1" SYSTEMQUOTE,
"-c \"listen_addresses=%s\" -k \"%s\" " bindir, temp_install,
"> \"%s/log/postmaster.log\" 2>&1" SYSTEMQUOTE, debug ? " -d 5" : "",
bindir, temp_install, debug ? " -d 5" : "", hostname ? hostname : "",
hostname ? hostname : "", sockdir ? sockdir : "",
outputdir); outputdir);
postmaster_pid = spawn_process(buf); postmaster_pid = spawn_process(buf);
if (postmaster_pid == INVALID_PID) if (postmaster_pid == INVALID_PID)