Skip site navigation (1) Skip section navigation (2)

Re: How to get SE-PostgreSQL acceptable

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: How to get SE-PostgreSQL acceptable
Date: 2009-01-29 03:43:41
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
> My concern is that superuser is allowed to modify system catalog
> by hand, like:
>  UPDATE pg_proc SET probin = '/tmp/'
>     WHERE oid = ...;
> It is logically same as ALTER FUNCTION.
> Even if I remove a hook from simple_heap_xxxx(), it is necessary
> to check queries from clients.

That's a valid concern, I think all we're saying here is that you need
to find a better place to block that, maybe by assigning pg_proc an
security label that prevents modification by the superuser.

> IIRC, 0racle or M$ has a patent to rewrite WHERE clause for security
> purpose, so Tom suggested it should be implemented using a hook
> deployed within executor.
> At least, it also enables code more simple.

Patents suck.  I guess we need to understand this issue better before
we can make any decisions.

> A wall between the data and _backend C code_ is not my intention.
> Its purpose is a wall between the data and clients including superuser
> via SQL queries. It is a basic assumption we cannot acquire any accesses
> from system internal entities, as SELinux do nothing for kernel loadable
> modules.
> However, please note that making a decision at more hot point is more
> good design, because it enables to reduce potential bypasses.
> At the begining, I choosed simple_heap_xxxx() as a most hot point.
> However, it can be replacable, if we can find any other place without
> omission and consistent.

That's why I was thinking about the planner...


In response to


pgsql-hackers by date

Next:From: KaiGai KoheiDate: 2009-01-29 03:44:50
Subject: Re: How to get SE-PostgreSQL acceptable
Previous:From: Andrew DunstanDate: 2009-01-29 03:36:06
Subject: Re: mingw check hung

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group