Laurenz Albe wrote:
> On Wed, 2020-06-17 at 13:23 -0700, Michel Pelletier wrote:
> > In my extension pgsodium I'm defining a custom variable at startup to store a key:
> >
> > https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
> >
> > I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE,
> > and a custom "no show" show hook that obscures the value. This idea was inspired from the
> > pgcryptokey module from Bruce Momjian.
> >
> > The value cannot be shown either with SHOW or current_setting() and it does not appear in pg_settings.
> > From what I can tell, the value is inaccessible from SQL, but I think it's worth asking
> > the experts if there is some other demonstrable way, from SQL, that this value could be
> > leaked even to a superuser. no sql level user should be able to see this value, only a C function,
> > like the pgsodium_derive() from which to derive other keys, should be able to see it.
> > I realize that someone with external process access can get the key, my goal is to prevent
> > accessing it from SQL.
> >
> > Any thoughts on weaknesses to this approach would be welcome. Thanks!
> >
> > -Michel
>
> A superuser can access files and start programs on the server machine.
>
> A dedicated superuser may for example attach to PostgreSQL with a debugger
> and read the value of the variable.
>
> And if that doesn't work, there may be other things to try.
>
> It is mostly useless to try to keep a superuser from doing anything that
> the "postgres" operating system user can do.
>
> Yours,
> Laurenz Albe
But only mostly useless. :-) There are ways to limit the power of the
superuser. On Linux, for instance, "sysctl kernel.yama.ptrace_scope=3"
prevents tracing, debugging, and reading another process's memory, even
by the superuser, and the only way to turn it off is via a (hopefully
noticeable) reboot. And, if the keys aren't present on the server at
boot time, and aren't fetched from their remote source (or read from a
user) unless that yama setting is in place, then it will be very hard
for a superuser to obtain the keys. If a remote source KMS is used,
ideally, you'd also want it to cryptographically verify that its client
hadn't been tampered with (somehow), or to not hand out the keys except
for planned reboots. The point is that it's not useless to make things
harder for a superuser.
You might not stop a legitimate sitewide superuser whose family is being
held hostage, but you can stop, or at least make things much more
difficult, for a superuser process on a single host that is the result
of a software vulnerability that wasn't nobbled by apparmor or selinux
or grsecurity.
cheers,
raf
