On Thu, Mar 06, 2014 at 12:44:34PM -0500, Tom Lane wrote: > Noah Misch <n...@leadboat.com> writes: > > Thanks. To avoid socket path length limitations, I lean toward placing the > > socket temporary directory under /tmp rather than placing under the CWD: > > I'm not thrilled with that; it's totally insecure on platforms where /tmp > isn't "sticky", so it doesn't seem like an appropriate solution given > that this discussion is now being driven by security concerns. > > > http://www.postgresql.org/message-id/flat/20121129223632.ga15...@tornado.leadboat.com > > I re-read that thread. While we did fix the reporting end of it, ie > the postmaster will now give you a clear failure message if your > socket path is too long, that's going to be cold comfort to anyone > who has to build in an environment they don't have much control over > (such as my still-hypothetical-I-hope scenario about Red Hat package > updates). > > I'm inclined to suggest that we should put the socket under $CWD by > default, but provide some way for the user to override that choice. > If they want to put it in /tmp, it's on their head as to how secure > that is. On most modern platforms it'd be fine.
I am skeptical about the value of protecting systems with non-sticky /tmp, but long $CWD isn't of great importance, either. I'm fine with your suggestion. Though the $CWD or one of its parents could be world-writable, that would typically mean an attacker could just replace the test cases directly. -- Noah Misch EnterpriseDB http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
