On Mon, Mar 03, 2014 at 01:29:00AM -0500, Tom Lane wrote: > Noah Misch <n...@leadboat.com> writes: > > Concerning the immediate fix for non-Windows systems, does any modern system > > ignore modes of Unix domain sockets? It appears to be a long-fixed problem: > > What I was envisioning was that we'd be relying on the permissions of the > containing directory to keep out bad guys. Permissions on the socket > itself might be sufficient, but what does it save us to assume that?
My first preference is to use the simplest code that POSIX requires to have the behavior we desire. POSIX specifies as implementation-defined whether connect() checks filesystem permissions. That's true of both directory search permissions and permissions on the socket itself. POSIX alone can't help us here. My second preference is to use the simplest code known to be portable to all credible PostgreSQL target systems. Brief research was inconclusive, but it turned up no solid evidence of a modern target ignoring socket permissions. (It did turn up solid evidence of 15-year-old targets having that problem.) I found no evidence either way concerning the prevalence of systems that ignore directory search permissions above sockets. I don't care for interposing a directory based solely on the fact that some ancient systems needed that. Changing unix_socket_permissions is a one-liner in each test driver. Placing the socket in a directory entails setting PGHOST in the psql and postmaster environments and cleaning up the directory on exit. That would be fine if restricted to pg_regress, but it would also show up in contrib/pg_upgrade/test.sh, perhaps eventually in vcregress.pl:upgradecheck(), perhaps in the buildfarm code, in the DBD::Pg test suite, and in any other test suite that creates a temporary cluster. We should not lead all those test drivers into using a temporary socket directory based on long-gone bugs or cargo cult programming. If there are notable systems today where it helps, that's a different matter. Also, test drivers should not be the sole place where we express doubt about the reliability of socket permissions. If they are unreliable on a noteworthy target, then the unix_socket_permissions documentation ought to say so. nm -- Noah Misch EnterpriseDB http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers