On Sat, Mar 29, 2014 at 01:48:33PM -0400, Andrew Dunstan wrote: > On 03/29/2014 01:22 PM, Noah Misch wrote: > >http://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=dromedary&dt=2014-03-29%2007%3A02%3A48 > > Hmm. Can we use a location with a bit more head room than the > tmp_check/data directory? Maybe something like src/test/sockets? > Note that the buildfarm's buildroot (the part of the name before the > branch name) is not terribly long in some of these cases. e.g. in > the first case it's only 32 chars long.
That's tempting, but I don't think freeing up ~25 bytes changes the verdict. Christoph brought up that Debian builds in directory trees deeper than those the buildfarm uses, and I suspect Debian is not alone. I think we're back looking at using a subdirectory of /tmp, with the open question being what properties (sticky bit, ownership, _PC_CHOWN_RESTRICTED), if any, to verify on /tmp and its parent(s) before proceeding. I looked around to see what other projects are doing. File::Temp is the one project I found that has an option[1], disabled by default, to security-check /tmp. Even OpenSSH simply assumes /tmp is suitable. Perhaps the threat of insecure /tmp has received less attention than it deserves, or perhaps secure /tmp is considered a mandatory component of a multi-user Unix system. In any event, I do not feel the need to put PostgreSQL "make check" in the vanguard concerning this issue. Assuming a secure /tmp, like OpenSSH does, is reasonable. -- Noah Misch EnterpriseDB http://www.enterprisedb.com [1] http://search.cpan.org/~dagolden/File-Temp-0.2304/lib/File/Temp.pm#safe_level -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers