Big thanks to Serge{i,y} for these suggestions. They helped me nail down what 
we're going to to. 


For the record, we'll only load at startup plugins listed on the command line 
or config file, and these must come with a checksum or an explicit declaration 
that you don't want the checksum validation. We'll have an admin only command 
as well, but it doesn't persist the load request anywhere. And we'll only 
accept plugins from one directory, and it can't contain "..".


If anyone thinks of other issues and shares them with me, I'll appreciate it. 
-- 
Cheers,
Leif

On Mon, Jul 29, 2013 at 1:44 PM, Sergey Vojtovich <[email protected]>
wrote:

> Hi Leif,
> 29.07.2013, в 19:13, Leif Walsh <[email protected]> написал(а):
>> Hi,
>> 
>> I'm working on adding a plugin API (not exactly a storage engine API, rather 
>> an extension one) to TokuMX[1] and I'm looking for advice on security. 
>> 
>> The basic idea is fairly simple: a plugin is a shared library (we're only 
>> targeting Linux right now, by the way) that defines a symbol to bootstrap 
>> the loading of additional functionality. We have an admin-only command that 
>> calls dlopen and dlsym to load the plugin. 
>> 
>> I haven't read any of the MariaDB plugin code yet, so pointers to where to 
>> start reading would be appreciated. Apart from that, I'm just looking for 
>> any advice from you all about what to watch out for. My concerns break down 
>> into two main areas:
> Plugin loading functionality is mostly in sql/sql_plugin.cc. Plugin data 
> types and declarations are in include/mysql, start with plugin.h.
>> 
>> 1. When loading a single plugin, what should I watch out for? The command 
>> itself is admin-only so calling it is protected, but what about an attacker 
>> that drops a malicious plugin in a directory earlier on the load path? What 
>> should I check about the permissions/owner of the library file and the 
>> directory in which it lives? Is erroring out on world-writable libraries 
>> enough? If my process is setuid, should I be more careful? What does Maria 
>> do here?
> MySQL/Maria doesn't do much wrt plugin load security. Just a few things on my 
> mind:
> - installing/uninstalling plugins requires privilege
> - it won't load plugin from directories other than specified by --plugin-dir 
> (check plugin name carefully for "..")
> - there is FORCE_PLUS_PERMANENT plugin option, which forbids plugin 
> deinstallation at all (originally was intended for audit plugins)
> We could probably save shared object checksum (or even better subscribe 
> plugins) to detect library replacement, but we do not do it yet.
>> 
>> 2. About plugin persistence/autoloading: I understand MariaDB has a system 
>> table that tracks which plugins are installed and automatically loads those 
>> on startup. I believe I can do the same thing in TokuMX and I can restrict 
>> access to that collection to the admin user. What does MariaDB store in that 
>> table and how does it use it? I could imagine storing the checksum of the 
>> installed plugin in the system table and verifying it before loading the 
>> plugin, but this seems rather draconian and it might make plugin upgrades 
>> too difficult. Does MariaDB verify the permissions of the data files that 
>> store this system table? I could imagine an attack where you would replace 
>> this system table with one that includes instructions to load your malicious 
>> plugin, while the server is offline. Again, how does MariaDB solve these 
>> problems? Another option is to autoload all libraries in some directory, and 
>> to just be very careful about the permissions of that directory, but this 
>> seems very hard to get totally right so I'm leaning away from it. 
> Check mysql.plugin table. To my knowledge neither MySQL nor MariaDB verify 
> shared object permissions. As well as I'm not aware of any extra protection 
> of system tables, except for proper file permissions of course.
> Regards,
> Sergey
>> 
>> [1]: http://www.tokutek.com/products/tokumx-for-mongodb
>> -- 
>> Cheers,
>> Leif
>> _______________________________________________
>> Mailing list: https://launchpad.net/~maria-developers
>> Post to     : [email protected]
>> Unsubscribe : https://launchpad.net/~maria-developers
>> More help   : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~maria-developers
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~maria-developers
More help   : https://help.launchpad.net/ListHelp

Reply via email to