Security
SE-PostgreSQL uses SELinux for database security
Security Enhanced Linux (SELinux) adds layers of security on top of the traditional discretionary access control (DAC) offered by UNIX-like systems to provide more fine-grained control over the operating system objects and data. The Security Enhanced PostgreSQL (SE-PostgreSQL) project seeks to provide the same kinds of fine-grained access controls to the PostgreSQL database engine, integrating those policies with SELinux. SE-PostgreSQL has just released its 1.0 beta and is encouraging users to report any bugs before the final 1.0 release.
Traditionally, database systems use a permissions model that is similar to, but separate from, the underlying operating system permissions. Users are created within the database and granted access to various database capabilities, some of which they can pass on to others (which is a feature of DAC). In addition, database management systems (DBMS) have a privileged user that bypasses all of the permissions checks. For a system running SELinux, this situation is less than desirable, as most, if not all, of the carefully crafted policies, for restricting data access, are ignored by the DBMS. SE-PostgreSQL works with SELinux to apply its policies on top of the DBMS permissions, allowing the administrator the fine-grained access control, afforded by SELinux, within PostgreSQL.
SELinux relies upon "security contexts", which are attached to each object in the operating system: files, directories, sockets, processes, users, etc. These contexts are permanently attached to the various objects and the SELinux policies then dictate how the contexts interact and what kind of operations are allowed to be performed. More information about SELinux and its enforcement mechanisms can be found on the project's webpage as well as in this introductory LWN article.
In a standard PostgreSQL installation, a Linux user can present the credentials (username and password) of any database user and perform the database operations allowed for that user. Using SE-PostgreSQL, SELinux security contexts are associated with each table, row and column of the database. The SELinux policy arbitrator in the kernel is consulted for each database operation and they are either allowed or denied based on the combination of the user context and the database object context. The PostgreSQL user must still have the ability to perform the requested action as the PostgreSQL permissions are checked before the SELinux policies are even consulted. This two-tiered permissions system is probably unnecessary, so SE-PostgreSQL could completely replace the database permissions in secure installations.
Because security contexts are attached to objects in the operating system, SE-PostgreSQL can alleviate a common problem with data migrating from the filesystem into the database. If filesystem data that requires an elevated level of security is inserted into a database table, that row will inherit the security context of the data. This will prevent users or processes with lower access capabilities from accessing it. Also, depending on the security context of the user querying the database, certain columns or rows may not be available and SE-PostgreSQL intercepts the queries and results, filtering them appropriately. Users will be able to see the query results they are allowed to access and no others.
Another related project is PostgreSQL Access Control Extension (PGACE), which provides an interface for PostgreSQL to use the facilities of a secure operating system. This allows SE-PostgreSQL to use the SELinux facilities, but will also allow PostgreSQL to use the Trusted Solaris or other security-oriented operating system facilities. It is meant to provide a common framework of hooks that PostgreSQL can call to determine whether to permit or deny access. It is similar in spirit to the Linux Security Modules (LSM) interface which allows different security implementations to be used by the kernel.
The development of SE-PostgreSQL was supported by the Exploratory Software Project of Japan's Information-Technology Promotion Agency. This project is aimed at funding young developers with new ideas and SE-PostgreSQL would certainly qualify. For security conscious companies using SELinux and PostgreSQL, a look at this project should be high on the list.
Brief items
Samsung printer drivers open up the system
A LinuxFR reader has sent out an alert (in French) about the Samsung SCX-4200 printer driver for Linux. It appears that the driver author had some trouble with the Linux permission model; the response was to make a few applications run setuid root. A quick look at the install script shows that the affected programs are xsane, xscanimage, and the major OpenOffice.org components. The script also replaces some CUPS executables and does some other fun things. This seems like code to avoid for anybody wanting to run a remotely secure system.HP joins the RHEL5 security certification party
HP announced yesterday that it has been awarded Evaluation Assurance Level 4 (EAL4+) security certification for Red Hat Enterprise Linux 5 (RHEL5) running on various server and workstation platforms. HP/RHEL5 is certified with the same set of protection profiles used by in the earlier IBM/RHEL5 certification. "HP has been awarded EAL4+, the highest level of assurance for an unmodified, commercial operating system, for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile, and Role-Based Access Control Protection Profile for Red Hat Enterprise Linux 5 on HP Integrity, ProLiant and BladeSystem platforms as well as select workstations and desktops."
New vulnerabilities
curl: insufficient verification methods
| Package(s): | curl | CVE #(s): | CVE-2007-3564 | ||||||||
| Created: | July 17, 2007 | Updated: | July 19, 2007 | ||||||||
| Description: | The GnuTLS certificate verification methods implemented in Curl did not check for expiration and activation dates. When performing validations, tools using libcurl3-gnutls would incorrectly allow connections to sites using expired certificates. | ||||||||||
| Alerts: |
| ||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | May 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac123: arbitrary code execution
| Package(s): | flac123 | CVE #(s): | CVE-2007-3507 | ||||||||
| Created: | July 13, 2007 | Updated: | October 22, 2007 | ||||||||
| Description: | A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length. | ||||||||||
| Alerts: |
| ||||||||||
flash-plugin: input validation flaw
| Package(s): | flash-plugin | CVE #(s): | CVE-2007-3456 | ||||||||||||||||
| Created: | July 12, 2007 | Updated: | August 10, 2007 | ||||||||||||||||
| Description: | The Firefox flash-plugin module has an input validation flaw involving the display of certain content. If a user can be tricked into opening a specially crafted Adobe Flash file, it may be possible to execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
LedgerSMB: authentication bypass
| Package(s): | LedgerSMB | CVE #(s): | |
| Created: | July 18, 2007 | Updated: | July 18, 2007 |
| Description: | The problem occurs because of a flaw in the redirect code which was replaced in order to support additional environments. The redirection code in this case can be accessed through the login module and tricked into providing access without proper authentication. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
mysql: multiple vulnerabilities
| Package(s): | mysql | CVE #(s): | CVE-2007-3780 | ||||||||||||||||||||||||||||
| Created: | July 17, 2007 | Updated: | November 27, 2007 | ||||||||||||||||||||||||||||
| Description: | MySQL Community Server before v5.0.45 has multiple vulnerabilities. See the MySQL Community Server 5.0.45 release announcement for details. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
tomcat: cross-site scripting
| Package(s): | tomcat | CVE #(s): | CVE-2007-2449 CVE-2007-2450 | ||||||||||||||||||||||||||||||||||||||||
| Created: | July 17, 2007 | Updated: | February 17, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the 'examples' web application not be installed on a production system. The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450). | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
xnview: buffer overflow
| Package(s): | xnview | CVE #(s): | CVE-2007-2194 | ||||
| Created: | July 12, 2007 | Updated: | July 18, 2007 | ||||
| Description: | The XnView image processing utility is vulnerable to a stack-based buffer overflow due to improper handling of XPM image files. If an attacker can trick a user into viewing a specially crafted image file, it may be possible to execute code with the privileges of the user. | ||||||
| Alerts: |
| ||||||
X.org: temp file vulnerability
| Package(s): | X.org | CVE #(s): | CVE-2007-3103 | ||||||||||||||||||||||||||||
| Created: | July 12, 2007 | Updated: | July 2, 2009 | ||||||||||||||||||||||||||||
| Description: | The X.Org X11 xfs font server has a temp file vulnerability in the startup script. A local user can modify the permissions of the script in order to elevate their local privileges. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>