Hi,
I'm working on adding a plugin API (not exactly a storage engine API, rather an
extension one) to TokuMX[1] and I'm looking for advice on security.
The basic idea is fairly simple: a plugin is a shared library (we're only
targeting Linux right now, by the way) that defines a symbol to bootstrap the
loading of additional functionality. We have an admin-only command that calls
dlopen and dlsym to load the plugin.
I haven't read any of the MariaDB plugin code yet, so pointers to where to
start reading would be appreciated. Apart from that, I'm just looking for any
advice from you all about what to watch out for. My concerns break down into
two main areas:
1. When loading a single plugin, what should I watch out for? The command
itself is admin-only so calling it is protected, but what about an attacker
that drops a malicious plugin in a directory earlier on the load path? What
should I check about the permissions/owner of the library file and the
directory in which it lives? Is erroring out on world-writable libraries
enough? If my process is setuid, should I be more careful? What does Maria do
here?
2. About plugin persistence/autoloading: I understand MariaDB has a system
table that tracks which plugins are installed and automatically loads those on
startup. I believe I can do the same thing in TokuMX and I can restrict access
to that collection to the admin user. What does MariaDB store in that table and
how does it use it? I could imagine storing the checksum of the installed
plugin in the system table and verifying it before loading the plugin, but this
seems rather draconian and it might make plugin upgrades too difficult. Does
MariaDB verify the permissions of the data files that store this system table?
I could imagine an attack where you would replace this system table with one
that includes instructions to load your malicious plugin, while the server is
offline. Again, how does MariaDB solve these problems? Another option is to
autoload all libraries in some directory, and to just be very careful about the
permissions of that directory, but this seems very hard to get totally right so
I'm leaning away from it.
[1]: http://www.tokutek.com/products/tokumx-for-mongodb
--
Cheers,
Leif
_______________________________________________
Mailing list: https://launchpad.net/~maria-developers
Post to : [email protected]
Unsubscribe : https://launchpad.net/~maria-developers
More help : https://help.launchpad.net/ListHelp