Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) - Mailing list pgsql-hackers
| From | Peter Eisentraut |
|---|---|
| Subject | Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) |
| Date | |
| Msg-id | 48D03953.6000308@gmx.net Whole thread Raw |
| In response to | Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) (KaiGai Kohei <kaigai@ak.jp.nec.com>) |
| Responses |
Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)
(Greg Smith <gsmith@gregsmith.com>)
Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) (KaiGai Kohei <kaigai@ak.jp.nec.com>) |
| List | pgsql-hackers |
KaiGai Kohei wrote: > Could you tell me the current status of reviewing process in the > CommitFest:Sep? Well ... I have analyzed this patch several times now. The implementation appears to be pretty straightforward, and when the time comes, we can discuss some of the low-level details. At this time, however, I would like to take a step or two back and discuss with the rest of the community what we really want to achieve in terms of enhancing "security" and access control. We need wider input on this. The patch makes use of generic terms such as "security enhanced" and "access control extensions" and appropriates them to this particular implementation, and I am not really sure what direction we want to take with this. I have also reviewed your PGCon presentation to infer your goals behind this implementation. At the core of it, I can see a few things that are being done here: * System-wide consistency in access controls The idea is, if we use some system and language to control operating system permissions, it would be nice to use the same system and language to control access permissions in the database system and elsewhere. * Mandatory access control (MAC) This defines a global security policy on top of the discretionary access control currently in place. (Depending on how you interpret the terms and the capabilities of SELinux, it also provides Type Enforcement and Multilevel Security to some degree. These are related in some ways to MAC.) * Row-level security This defines a way to control access to rows, not only to columns. * Additional privileges The presented patches add ways to control permissions to alter tables, modify large objects, and other things as well as column-level privileges. Some of this is a moral prerequisite for a useful MAC setup. Now these items are arguably useful and welcome features in their own right. Unfortunately, this patch has chosen to provide these features in a way that makes them accessible to the least amount of users. And moreover, it bunches them all in one feature, while they should really be available independently. Let's review: *) System-wide consistency in access controls could be nice to have in some cases. But is it really achievable? In the typical three-tier web application scenario, do you really have system-wide consistency? Can you configure your application server using SELinux? I'm no expert on these things, but I wonder, would it even work in a useful way, over the network, with all the different threads, processes, and sessions going on? Or how about a desktop, pgAdmin with several database connections, can those be isolated from each other or whatever the security setup may be? And is SELinux really the desirable interface for a system-wide access control facility? Why not port chmod or POSIX ACLs to PostgreSQL, or port SQL roles back to the operating system, or something else that captures what more people are actually using in practice. *) Mandatory access control could be a useful feature for some users. But must we resort to SELinux as the configuration language and implementation backend? Why couldn't we implement a MAC system in SQL using the existing language? Also, what I read is that role-based access control (RBAC) systems are equally capable of providing the sort of stronger security that MAC users are typically looking for. (In some ways, it appears to be the newer thing.) PostgreSQL already has a pretty good role system, so we could perhaps look into enhancing that to meet the necessary functional criteria that may exist. *) Row-level security, column-level security and so on should in my mind first exist as a native SQL-level feature. It would be hard to explain that PostgreSQL does not have column-level GRANT privileges but that you can achieve the same if you go through SELinux. After all, the SE-PostgreSQL patch only hooks in to several places to throw "permission denied errors" when appropriate, so native SQL features should be able to achieve the same. (Well, there are interesting SELinux-vs-AppArmor type differences here, that may be worth considering separately.) Ultimately, I see this patch as an interesting proof of concept -- it got us on the NSA site anyway -- but I can't see more than three people actually making use of it, and they are not going to maintain this code for us in the long run. On the other hand, it provides useful features, but with what I consider suboptimal interfaces. Considering that SELinux configurations on Red Hat are now just slowly evolving from annoying to usable after many years of work, I can't see us mustering the resources to achieve a usable configuration of this in a reasonable time, let alone the resources required to verify the whole thing so that is actually provides some assurances rather than just another way to fiddle about with the system. The way I see this, the approach to be taken to achieve some kind of government-grade security system would be: 1. Implement row-level security, column-level privileges, and all other necessary permission bits as SQL features. 2. Enhance the role system to meet whatever the evaluation criteria may be. 3a. Add access control extension hooks. 3b. Implement SELinux on top of these hooks. You have already done 3a and 3b, but I think 1 and 2 should be done first.
pgsql-hackers by date: