Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)

From: Greg Smith <gsmith(at)gregsmith(dot)com>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, pgsql-hackers(at)postgresql(dot)org, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Subject: Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)
Date: 2008-09-17 01:05:26
Message-ID: Pine.GSO.4.64.0809161959030.19726@westnet.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, 17 Sep 2008, Peter Eisentraut wrote:

> System-wide consistency in access controls could be nice to have in some
> cases. But is it really achievable? In the typical three-tier web
> application scenario, do you really have system-wide consistency? Can
> you configure your application server using SELinux?

Each of the tiers end up with mapping layer similar to the one implemented
here to map the SELinux permissions -> PostgreSQL. Java for example has a
whole JVM security manager component that makes it straighforward to do
such a mapping.
http://articles.techrepublic.com.com/5100-10878_11-6178805.html is a good
quick intro that shows how the call structure is similar to what the
SE-PostgreSQL code does.

> And is SELinux really the desirable interface for a system-wide access
> control facility? Why not port chmod or POSIX ACLs to PostgreSQL, or port
> SQL roles back to the operating system, or something else that captures what
> more people are actually using in practice.

The main feature of SELinux that this crowd likes is how it manages
privledge escalation risk. I'm not sure if POSIX ACLs for example are as
effective at limiting the damage an exploitable suid binary can cause.
As for what people are actually using, as someone who lives near the US
capital I can tell you that installs using SELinux are quite plentiful
around here--there really is no other UNIX-based technology for this
purpose that's gotten traction inside this government like SELinux has.

Anyway, even though I think picking SELinux as the primary security
mechanism to integrate with is a sensible choice and I'm confident that
the rest of the software stack isn't a problem, I do share your concern
that implementing row and column-level security would make more sense in a
general way first.

> Ultimately, I see this patch as an interesting proof of concept -- it got us
> on the NSA site anyway -- but I can't see more than three people actually
> making use of it

I take it you've never seen how big the NSA fort^H^H^H^Hfacility is? I'm
not sure exactly how many orders of magnitude your estimate is off by, but
I know it's at least 2 just based on conversations I've been involved in
with companies around here. A lot of the US defense and homeland security
related companies are adopting open-source software stacks because they
can audit every level of the software, and there's a big void in that
stack waiting for a database with the right security model to fill. You
are right that getting code contributions back again is a challenge
though.

--
* Greg Smith gsmith(at)gregsmith(dot)com http://www.gregsmith.com Baltimore, MD

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2008-09-17 02:42:06 Re: [PATCHES] libpq events patch (with sgml docs)
Previous Message Alvaro Herrera 2008-09-17 00:59:08 Re: Autovacuum and Autoanalyze