From: KaiGai Kohei on
(2010/06/15 21:37), Stephen Frost wrote:
> KaiGai,
>
> * KaiGai Kohei (kaigai(a)ak.jp.nec.com) wrote:
>> In the attached patch, the security hook was moved to ClientAuthentication()
>> from InitPostgres(), for more clarification of the purpose.
>> What I want to do is to assign additional properties to identify the client
>> (such as security label) for each authenticated session.
>>
>> Its purpose is similar to "session" module of PAM in operating system.
>> It allows to assign additional session properties more than user-id.
>
> That's all fine- but let's work within the confines of the *existing*
> hook that's been discussed to get something working first before we go
> adding hooks in other places. I think it's important that we put
> together at least a proof of concept that an SELinux module or other
> external auth module can sensible use the DML hook.
>
Yes, I'd like to introduce the reason and purpose of the hook.

At first, please assume any external security modules should be loaded
as shared preload libraries, because 'local_preload_libraries' setting
can be overwritten using connection string.
So, _PG_init() shall be invoked at the starting-up of the postmaster
daemon process at once, not per connection.

On the other hand, a security feature have to identify the client and
assign an appropriate set of privileges on the session prior to it being
available for users.
E,g. The default PG security assigns a certain database user-id on
the current session, then it will be used for access control decision.
In a similar way, an external security also wants a chance to identify,
authenticate and authorize the client. (SELinux uses getpeercon() to
obtain security label of the peer process, and applies it as privilege
of the current session.)

However, here is no hooks available for the purpose. In this case,
_PG_init() is not called for each connections, because the module is
a shared preload library, so we have to call getpeercon() in another
point.

One idea is, as Robert suggested, that we can invoke getpeercon() at
the first call of SELinux module and store it on the local variable.
It will work well as long as getpeercon() does not cause an error.

Robert pointed out we can always raise ERROR or FATAL using ereport(),
if it is troubled.
However, it seems to me a trouble of getpeercon() is fundamentally
an error within the step of client authentication.
In the case of database user-id, it immediately raises an error, and
close the connection. I think we should follow the manner of similar
features, so I proposed the new security hook at the authentication.

Thanks,

> After that, we can discuss what other hooks are needed. KaiGai, please,
> before sending in patches of any kind, propose at a high-level what the
> problem is and what the security module needs in general terms. If you
> have a recommendation, that's fine, but let's talk about it before
> implementing anything.
>
> Thanks,
>
> Stephen


--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: KaiGai Kohei on
(2010/06/16 21:37), Stephen Frost wrote:
> KaiGai,
>
> * KaiGai Kohei (kaigai(a)ak.jp.nec.com) wrote:
>> On the other hand, a security feature have to identify the client and
>> assign an appropriate set of privileges on the session prior to it being
>> available for users.
> [...]
>> However, here is no hooks available for the purpose.
>
> I believe we understand the issue now, my point was that in the future
> let's have this discussion first.
>
>> One idea is, as Robert suggested, that we can invoke getpeercon() at
>> the first call of SELinux module and store it on the local variable.
>> It will work well as long as getpeercon() does not cause an error.
>
> Let's work with this approach to build a proof-of-concept that at least
> the DML hook will work as advertised. We've got alot of time till 9.1
> and I think that if we can show that a module exists that implements
> SELinux using the DML hook, and that a few other hooks are needed to
> address short-comings in that module, adding them won't be a huge issue.
>
OK, fair enough. Please wait for a few days.
I'll introduce the proof-of-concept module until this week.

Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: KaiGai Kohei on
(2010/07/08 23:58), Stephen Frost wrote:
> * Robert Haas (robertmhaas(a)gmail.com) wrote:
>> I'm not sure what the best thing to do about this is. I think it
>> might be a good idea to start with some discussion of what problems
>> people are trying to solve (hopefully N> 1?) and then try to figure
>> out what a good solution might look like.
>
> Guess my first thought was that you'd have a database-level label that
> would be used by SELinux to validate a connection. A second thought is
> labels for roles. KaiGai, can you provide your thoughts on this
> discussion/approach/problems? I realize it's come a bit far-afield from
> your original proposal.
>

Let's sort out the point at issues from perspective of the models.

Please remind the authentication (in broad-sense) is consist of a few steps.

1) Identification
In this step, system tries to obtain the identifier of client.
Typically, it is a username provided using connection string in pgsql.

2) Authentication (in narrow-sense)
In this step, system tries to verify whether the given identifier is
correct, or not. Typically, it checks the password corresponding to
the user.

3) Authorization
In this step, system tries to assign a set of privileges on the new
session. Typically, it is user identifier itself, because DAC makes
access control decision based on the combination of user identifier
and access control list of the objects.
But all the security modules also intend to utilize the user identifier
for its own access control decision. E.g, SELinux uses a security label
of the client process. If we would have something like Oracle Label
Security, client's label may be associated with a certain database role
that is already authorized.


The purpose of my patch was to provide an external security provider
a chance to (3) authorize the new session based on or not-based on
the (1) identification and (2) authentication.

If we try to allow security providers to get control all of the 1-3,
it might be hard to find the best place to put the hook right now.
But, at least, SELinux does not have a plan to interpose identification
and authentication. All I want to do here is to authorize the client
just after authentication process.

I'd like to suggest that we focus on the (3) authorization process
for functionality of the patch. It may be also worth to control
identification and authentication using security provider, but we don't
have actual guest module right now.

Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: KaiGai Kohei on
(2010/07/09 23:52), Stephen Frost wrote:
> * Stephen Frost (sfrost(a)snowman.net) wrote:
>> Guess my first thought was that you'd have a database-level label that
>> would be used by SELinux to validate a connection. A second thought is
>> labels for roles. KaiGai, can you provide your thoughts on this
>> discussion/approach/problems? I realize it's come a bit far-afield from
>> your original proposal.
>
> Something else which has come up but is related is the ability to
> support a "pam_tally"-like function in PG. Basically, the ability to
> lock users out if they've had too many failed login attempts. I wonder
> if we could add this hook (or maybe have more than one if necessary) in
> a way to support a contrib module for that.
>
It seems to me a good idea.

BTW, where do you intend to apply this "pam_tally" like functionality?
If it tries to lock users out on the identification stage; like the
pam_tally.so on operating systems, the hook should be placed on the
top-half of ClientAuthentication().

On the other hand, when we tries to set up properties of a certain user's
session, it needs to be placed on the authorization stage.
In the PG code, InitializeSessionUserId() just performs the role to assign
the authenticated user's identifier on the current session. It seems to me
it is a candidate where we put a hook on the authorization stage.

Of course, these are not exclusive. We can provide two hooks to provide
a chance to get control on identification and authorization stages.

Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers