Re: Using AF_UNIX sockets always for tests on Windows

Mon, 16 Jan 2023 04:05:39 -0800 

Hello,

On Fri, Dec 2, 2022 at 1:03 AM Thomas Munro <thomas.mu...@gmail.com> wrote:

>
> 1.  Teach mkdtemp() to make a non-world-accessible directory.  This is
> required to be able to make a socket that other processes can't
> connect to, to match the paranoia level used on Unix.  This was
> written just by reading documentation, because I am not a Windows
> user, so I would be grateful for a second opinion and/or testing from
> a Windows hacker, which would involve testing with two different
> users.  The idea is that Windows' mkdir() is completely ignoring the
> permissions (we can see in the mingw headers that it literally throws
> away the mode argument), so we shouldn't use that, but native
> CreateDirectory() when given a pointer to a SECURITY_ATTRIBUTES with
> lpSecurityDesciptor set to NULL should only allow the current user to
> access the object (directory).  Does this really work, and would it be
> better to create some more explicit private-keep-out
> SECURITY_ATTRIBUTE, and how would that look?
>

A directory created with a NULL SECURITY_ATTRIBUTES inherits the ACL from
its parent directory [1]. In this case, its parent is the designated
temporary location, which already should have a limited access.

You can create an explicit DACL for that directory, PFA a patch for so.
This is just an example, not something that I'm proposing as a committable
alternative.

I'm fairly sure that filesystem permissions must be enough to stop
> another OS user from connecting, because it's clear from documentation
> that AF_UNIX works on Windows by opening the file and reading some
> magic "reparse" data from inside it, so if you can't see into the
> containing directory, you can't do it.  This patch is the one the rest
> are standing on, because the tests should match Unix in their level of
> security.
>

Yes, this is correct.

>
> Only the first patch is modified, but I'm including all of them so they go
through the cfbot.

[1]
https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea


Regards,

Juan José Santamaría Flecha

Attachment: v2-0004-Doc-Abstract-AF_UNIX-sockets-don-t-work-on-Windows-a.patch
Description: Binary data

Attachment: v2-0003-WIP-Stop-using-TCP-in-TAP-tests-on-Windows.patch
Description: Binary data

Attachment: v2-0002-WIP-Always-use-Unix-domain-sockets-in-pg_regress-on-.patch
Description: Binary data

Attachment: v2-0001-WIP-Make-mkdtemp-more-secure-on-Windows.patch
Description: Binary data

Reply via email to