Re: sepgsql contrib module

From: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
To: Simon Riggs <simon(at)2ndQuadrant(dot)com>
Cc: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: sepgsql contrib module
Date: 2010-12-30 01:15:08
Message-ID: 4D1BDD1C.8010907@kaigai.gr.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

(2010/12/30 9:34), Simon Riggs wrote:
> On Thu, 2010-12-30 at 09:26 +0900, KaiGai Kohei wrote:
>
>>> What happens if someone alters the configuration so that the sepgsql
>>> plugin is no longer installed. Does the hidden data become visible?
>>>
>> Yes. If sepgsql plugin is uninstalled, the hidden data become visible.
>> But no matter. Since only a person who is allowed to edit postgresql.conf
>> can uninstall it, we cannot uninstall it in run-time.
>> (An exception is loading a malicious module, but we will be able to
>> hook this operation in the future version.)
>
> IMHO all security labels should be invisible if the provider is not
> installed correctly.
>
Probably, it needs row-level granularity to control visibility of
each entries of pg_seclabel, because all the provider shares same
system catalog.
So, I don't think this mechanism is feasible right now.

> That at least prevents us from accidentally de-installing a module and
> having top secret data be widely available.
>
> If you have multiple providers configured, you need to be careful not to
> allow a provider that incorrectly implements the plugin API, so that
> prior plugins are no longer effective.
>
Yep. It is responsibility of DBA who tries to set up security providers.
DBA has to install only trustable or well-debugged modules (not limited
to security providers) to avoid troubles.

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Jie Li 2010-12-30 01:54:10 Re: small table left outer join big table
Previous Message Simon Riggs 2010-12-30 00:34:36 Re: sepgsql contrib module