|
|
Subscribe / Log in / New account

SEPostgres

SEPostgres

Posted Sep 12, 2011 23:27 UTC (Mon) by Pc5Y9sbv (guest, #41328)
In reply to: SEPostgres by SEJeff
Parent article: PostgreSQL 9.1 released

In the given scenario of a multi-tenant web service, where the owner would be the system operator, isn't the distinction between MAC and DAC a bit elusive?

The "owner" of the database (or namespace), who would set RBAC policies, would be the sys op. The sys op would also be the one creating the SEPostgres policies. I think this is an important pragmatic fact.

to post comments

SEPostgres

Posted Sep 13, 2011 12:49 UTC (Tue) by SEJeff (guest, #51588) [Link] (8 responses)

"""
In the given scenario of a multi-tenant web service, where the owner would be the system operator, isn't the distinction between MAC and DAC a bit elusive?
The "owner" of the database (or namespace), who would set RBAC policies, would be the sys op. The sys op would also be the one creating the SEPostgres policies. I think this is an important pragmatic fact.
"""

Hi, I think you're still completely missing the point of MAC. MAC does *not* replace DAC. MAC complements DAC. With SELinux in a full MLS strict enforcing mode, you can pretty much eliminate the concept of "root" or "sys op" entirely. What if someone in "rogue webapp A" manages to exploit a flaw and install a shell on your webserver and somehow gets root privileges with said shell? With SELinux that "root" shell could be as good as worthless and would still disallow access to data from "secure webapp B" in the proper enforcing mode. Please do take some time and try to understand the subtle differences between DAC and MAC. It takes awhile to wrap your head around.

You're thinking far to course where MAC lets you do things much much more fine-grained. As a SELinux fan, I also use Posix ACLs quite a bit for scary permissioning problems. Does that mean that ACLs should replace standard DAC? Nope. It should be used as a means to complement and further secure what already exists.

DAC vs. MAC in SEPostgres

Posted Sep 13, 2011 15:47 UTC (Tue) by Pc5Y9sbv (guest, #41328) [Link] (5 responses)

Hang on, I do appreciate the idea of security in depth, and how SE-Linux can complement other policy layers. I understand how SE-Linux contexts can be assigned to different clients to limit their ability to expand their privileges. However, my question was specifically about its application in SEPostgres to the problem of partitioning application data for different "sites" as described in the article...

I don't think "discretionary" vs. "mandatory" is a binary distinction when we're talking about fine-grained database resources not managed by the kernel. I still don't see how Postgres RBAC is any less mandatory than SEPostgres when it comes to isolating databases, schema, or tables between application tenants.

If I can subvert an application (database client process) I am not able to override the RBAC nor the SEPostgres policies being enforced on database resources. But, if I can subvert all per-site instances of the multi-tenant application, i.e. due to an application exploit rather than a site-specific configuration flaw, I can break down the per-site isolation to access whichever tenant's data I want, simply by controlling the right database client instance that already has privileges granted by RBAC and SEPostgres. Also, if I manage to subvert the database manager process, it seems I would be equally able to suppress the RBAC or the SEPostgres enforcement within that process to access database resources.

What am I missing here?

DAC vs. MAC in SEPostgres

Posted Sep 13, 2011 16:13 UTC (Tue) by dpquigl (guest, #52852) [Link] (1 responses)

In your example you're talking about an exploit in Postgres itself. If that is the case you are correct that can be used to bypass RBAS or SEPostgres. The database server is the object manager in the case of SEPostgres so exploiting the database server itself and bypassing SEPostgres is the equivalent of exploiting the kernel and bypassing SELinux. An exploit at the level that the mechanism is implemented can't be protected against at that level. The example I gave was a flaw in applications which use the database not the database itself.

DAC vs. MAC in SEPostgres

Posted Sep 13, 2011 16:46 UTC (Tue) by raven667 (subscriber, #5198) [Link]

That's actually an important point that should probably be explored more. SELinux implemented in the kernel can't protect against code that exploits the kernel. It is worth examining the assumption that a complex, fine-grained permissions system is worth the amount of effort required because any security exploit is going to have a rootkit running in the kernel that can completely bypass any permissions system. I thought redhat provided some data on how effective SELinux is in preventing exploit of the different CVEs they patch but I can't find it right now.

Just to be clear, for a sysadmin managing an SELinux system it isn't that hard to work with and so it very likely provides a useful protection that is worth the effort. For the sysadmin who just needs to tweak policies or write rules for home-grown software I did not find it nearly as difficult as one would be led to believe. I think more effort has been spent in complaining about it than in learning how to use it.

DAC vs. MAC in SEPostgres

Posted Sep 13, 2011 16:19 UTC (Tue) by dpquigl (guest, #52852) [Link] (2 responses)

I missed the first part of your last paragraph in my other response. I'm not quite understanding the scenario you're proposing. Could you provide a more concrete example?

DAC vs. MAC in SEPostgres

Posted Sep 13, 2011 17:24 UTC (Tue) by Pc5Y9sbv (guest, #41328) [Link] (1 responses)

The example was given of using SEPostgres to isolate the database state used by each "site" instance of a multi-tenant web application, which I claim is equivalent protection to using the normal Postgres RBAC model to protect different database instances created for each "site" instance. We're talking about roles or contexts assigned to the application for all its users, not fine-grained roles or contexts assigned to individual web users. The application is the enforcement point protecting data from unprivileged web users, not Postgres. Postgres is just protecting other applications' data from an application that breaks.

If I attack the application, I might subvert just one instance, for example by hijacking the web client that has site-level "super user" privileges to access data I shouldn't see or by using a code exploit that depends on invalid/unsafe data stored in that application instance. Neither RBAC nor SEPostgres helps here, because it still looks like the application code accessing its normal database content.

If I find an exploit in the web application code, not depending on the site-specific data content, I can repeat the attack on whichever site I want, and I can also access whatever data that Postgres would normally supply to that application instance. This is no different than if the "site" instances were each on physically separate servers with completely independent Postgres servers too. We see these sorts of exploits published all the time, due to the many layers of libraries and frameworks used for convenience on the web.

To do fine-grained restrictions, you would need to assign roles and/or context to each remote web user. This is a bootstrapping problem of getting from Internet-originated TCP stream containing an HTTP request to a restricted context suitable for evaluating the request. This means trusting Apache httpd and whatever web application components are involved in authentication and context establishment, much as we trust sshd today in establishing SE-Linux context for remote users.

To make SEPostgres "more mandatory", it would require pushing the access enforcement back into the kernel, e.g. by applying different SE-Linux contexts to different filesystem objects storing portions of the data, and having the query engine run in a more limited context for each client/query and making it tolerate refusals to access some elements of the data store. For example, each table is a separate file that could be protected to different levels, but you'd have to change the storage format to support column or row-level protections. You could then have the query engine act as if denied data does not exist. But this would probably require relaxing certain data integrity constraints, since they require a unified, global view of the existing data to validate them. But, you are still trusting parts of Postgres to act like sshd in establishing the right process context for clients.

DAC vs. MAC in SEPostgres

Posted Sep 13, 2011 19:45 UTC (Tue) by dpquigl (guest, #52852) [Link]

Ok I understand what you're saying now. Lets start at addressing paragraph 4 . I completely agree with you that you need something to be assigning sensible contexts to the request. mod_selinux (SELinux+) for apache does this. It has two ways of deciding this. One is that is uses authentication information to figure out the context similar to how sshd figures it out for a login and password. The second is based on the URL. Either way Apache assigns a context to the worker thread processing the request. Currently the second approach works on the site level so www.google.com or www.lwn.net and not specific pages. If it were extended to specific pages you could make it such that login processing is a trusted procedure in the PG database and only the page www.mysite.com/login has a context able to execute the trusted procedure.

Your 5th paragraph is an interesting idea but would require major rearchitecting of the database to do that. The idea at the base of it though is should the database server be in the TCB. If you can have it be in the TCB then having it act as the object manager is acceptable. I don't think however that we're trusting Postgres to establish the process context. In this case the context is still coming from the kernel. Postgres uses a function called getpeercon which has the kernel return the context of the user on the other end of the connecting socket. In the case of a CLI program its the program's context in the case of apache its the worker thread context. From there Postgres uses a call in libselinux that takes this context and the label on the database object in question and gives it to the kernel to make an access control decision. After that it is up to Postgres to enforce the decision.

Your design makes me think that you've worked on MLS databases before (I'm actually wondering who you are) since it would allow you to do separation of different sensitivity levels and compartments. There are people who currently try to do that with Postgres and what they have encountered is that once you start developing the lattice you get a ton of servers each with their own contexts. Instead by making Postgres be the object manager and assigning labels to the database objects themselves it allows more relevant decisions to be made. Like whether this Top Secret trusted procedure can be executed by a secret level process. Or another example that a secret process can run a trusted procedure that has access to TS data because the procedure is known to scrub it down to a S level. The idea is that by virtue of being a database Postgres has better knowledge about the objects in itself. It definitely is better suited to make decisions than the kernel is. So we make it what's called a userspace object manager. The kernel still gets to make the access control decision however the userspace object manager enforces it.

The reason the kernel can still make these decisions is because of the Flask architecture which separates the policy from the mechanism. Inside flask the policy exists as a set of masks which say if I'm given identifier a and it wants to act on an object of a certain type with identifier b here are the permissions it has (which is a bitmask). it knows nothing about what the object classes are for the user space components. It just knows that user space asked it for a decision based on 3 integers and a bitmask.

SEPostgres

Posted Sep 13, 2011 15:59 UTC (Tue) by foom (subscriber, #14868) [Link] (1 responses)

> What if someone in "rogue webapp A" manages to exploit a flaw and install a shell on your webserver and somehow gets root privileges with said shell? With SELinux that "root" shell could be as good as worthless and would still disallow access to data from "secure webapp B" in the proper enforcing mode.

No, if someone in "rogue webapp A" manages to exploit a flaw to get root, *that same flaw* can be used to become "super-root", bypassing all SELinux access control. SELinux *does not* protect you if the attacker has a kernel exploit.

SEPostgres

Posted Sep 13, 2011 16:03 UTC (Tue) by SEJeff (guest, #51588) [Link]

In a full MLS environment with the proper policy, you are incorrect. Note I was not mentioning a kernel flaw. There are plenty (the majority likely) of non-kernel exploits to become root.

http://www.coker.com.au/selinux/play.html for an example of why "root" is not so powerful in a full MLS SELinux environment.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds