Re: security hook on authorization

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, PgSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: security hook on authorization
Date: 2010-08-21 15:20:19
Message-ID: 6732EC5A-86EB-455A-B3C7-49CCB1B4E963@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Aug 20, 2010, at 8:27 PM, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> (2010/08/20 23:34), Robert Haas wrote:
>> 2010/8/19 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>> I think our standard criteria for the inclusion of hooks is that you
>> must demonstrate that the hook can be used to do something interesting
>> that couldn't be done without the hook. So far I'm unconvinced.
>>
> We cannot handle an error of labeled networking (getpeercon(3)),
> if we don't have any hook during client authorization stage.
>
> If and when a connection came from a host but we don't accept the
> delivered security label, or labeled networking is misconfigured,
> getpeercon(3) returns NULL. In this case, server cannot identify
> what label should be applied on the client, then, we should
> disconnect this connection due to the error on database login,
> not any access control decision.
>
> In similar case, psm_selinux.so disconnect the connection when
> it cannot identify what security label shall be assigned on the
> session, due to some reasons such as misconfigurations.
>
> Without any hooks at authorization stage (but it might be different
> place from this patch, of course), we need to delay the error
> handling by the time when SE-PostgreSQL module is invoked at first.
> But it is already connection established and user sends a query.
> It seems to me quite strange behavior.

You mentioned that before. I'm not totally sure I buy it, and I think there are other applications that might benefit from a hook in this area. We need to think about trying to do this in a way that is as general as possible. So I'd like to see some analysis of other possible applications.

...Robert

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Greg Stark 2010-08-21 16:00:30 Re: Version Numbering
Previous Message David E. Wheeler 2010-08-21 14:39:10 Re: Version Numbering