On Tue, Nov 17, 2015 at 1:09 AM, Mohammed Ajil <ajilm@student.ethz.ch> wrote:
> I am currently working on a research project for Secure Access Control
> in PostgreSQL.
So basically you wish to decide which query is authorized to run or
not depending on its type as well as on the relation a given query
touches. I would imagine as well that you'd want to have some fancy
control granularity with what is running or not.
> For verifying my hypothesis I would like to include my own algorithm
> that makes the access control decisions for specific queries. For that I
> would like to include my own access-control.c file with its header.
> Now I have some problems understanding the makefiles, I do not quite get
> where I have to link the C file into the whole build of postgres.
Well, you could put it anywhere as long as it is compiled with binary
postgres, one example being src/backend/tcop/ which is where utility.c
is present, then modify src/backend/tcop/Makefile and add your file to
it. Roughly.
Now, of course it depends on what you want to achieve, but I think
that you could actually achieve your goal without modifying the source
code of Postgres by using the internal hooks of Postgres code (this is
undocumented, see here
https://wiki.postgresql.org/images/e/e3/Hooks_in_postgresql.pdf).
Here are a couple of example on how to do that:
- Here is one disabling ALTER SYSTEM:
https://github.com/MasaoFujii/pg_disallow_utility
- Here is another one putting restrictions on database and user I did
some time ago:
https://github.com/michaelpq/pg_plugins/tree/master/hook_utility
Those two ones are using the utility hook, to put some kind of control
on the DDL queries as well as other queries that are not
SELECT/INSERT/UPDATE/DELETE being run on a Postgres server. For those
last four ones, you could use the query planner hook, here is an
example (don't use it btw, but feel free to get inspiration from it
for your stuff):
https://github.com/michaelpq/pg_plugins/tree/master/pg_panic
Regards,
--
Michael
