On Sun, Mar 23, 2014 at 07:04:20PM -0400, Noah Misch wrote:
> On Thu, Mar 06, 2014 at 11:52:22PM -0500, Noah Misch wrote:
> > On Thu, Mar 06, 2014 at 12:44:34PM -0500, Tom Lane wrote:
> > > I'm inclined to suggest that we should put the socket under $CWD by
> > > default, but provide some way for the user to override that choice.
> > > If they want to put it in /tmp, it's on their head as to how secure
> > > that is. On most modern platforms it'd be fine.
> >
> > I am skeptical about the value of protecting systems with non-sticky /tmp,
> > but
> > long $CWD isn't of great importance, either. I'm fine with your suggestion.
> > Though the $CWD or one of its parents could be world-writable, that would
> > typically mean an attacker could just replace the test cases directly.
>
> Here's the patch. The temporary data directory makes for a convenient socket
> directory; initdb already gives it mode 0700, and we have existing
> arrangements to purge it when finished. One can override the socket directory
> by defining PG_REGRESS_SOCK_DIR in the environment.
And here's a documentation patch warning about the limited applicability of
unix_socket_permissions.
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 4eff91e..1c25ded 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -640,7 +640,11 @@ include 'filename'
</para>
<para>
- This parameter is irrelevant on Windows, which does not have
+ This parameter is irrelevant on systems, notably Solaris as of Solaris
+ 10, that ignore socket permissions entirely. There, one can achieve a
+ similar effect by pointing <varname>unix_socket_directories</> to a
+ directory having search permission limited to the desired audience.
+ This parameter is also irrelevant on Windows, which does not have
Unix-domain sockets.
</para>
</listitem>
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
