Re: security hook on authorization

On Mon, Oct 25, 2010 at 8:51 AM, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> One possible candidate is CheckMyDatabase() that checks ACL_CONNECT
> permission for the required database prior to execution of all the
> queries.
> Currently, we don't have any security hook around here.
> But, if we have "InvokeSecurityHook()" here, it will be able to
> kill two birds with one stone. The 1st bird is getpeercon(3), and
> the 2nd bird is permission check on the selected database.

Yeah, that might be a possibility.

>> This is closer to the mark, but mostly speculative, and not detailed
>> enough to determine whether the proposed hook is properly located.  It
>> seems rather early to me: this is before we've sent the authentication
>> packet to the client, so we couldn't, for example, log the success or
>> failure of the authentication; we don't know whether it will succeed
>> or fail.
>>
> Hmm. But the auth_failed() raises a fatal error, so we need to put
> a hook before the invocation to log a case of authentication failed.
>
> | +   if (ClientAuthentication_hook)
> | +       (*ClientAuthentication_hook)(port, status);
> | +
> |     if (status == STATUS_OK)
> |         sendAuthRequest(port, AUTH_REQ_OK);
> |     else
> |         auth_failed(port, status);
>
> Or, perhaps, we should modify this if-block to ensure the hook being
> called after sendAuthRequest() but before auth_failed().

Oh. You know, I am realizing that I misread this patch. This hook is
actually after authentication has been done; it's merely before we've
told the client what happened. So maybe this is committable as-is,
modulo some work on the comments.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company