Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sM3AK-000Mp5-09 for pgsql-hackers@arkaria.postgresql.org; Tue, 25 Jun 2024 10:12:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sM3AI-00EqQR-9l for pgsql-hackers@arkaria.postgresql.org; Tue, 25 Jun 2024 10:12:42 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sM3AH-00EqQI-BA for pgsql-hackers@lists.postgresql.org; Tue, 25 Jun 2024 10:12:42 +0000 Received: from fout7-smtp.messagingengine.com ([103.168.172.150]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sM3AE-0032Po-O7 for pgsql-hackers@postgresql.org; Tue, 25 Jun 2024 10:12:40 +0000 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfout.nyi.internal (Postfix) with ESMTP id 57871138019C; Tue, 25 Jun 2024 06:12:37 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Tue, 25 Jun 2024 06:12:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1719310357; x= 1719396757; bh=GqvjnmUMAwiGWPOEfOAaEqdcoZ+gXtwEtOOrSk1hzsI=; b=R m7+Y6m4j5DtYd+m6vxzxBDR21r3v68uY3tI2McW82c7//o1X0yyfoJVHH5oyh0xt ClCT7SAp4ve72/GZWZqrIoZKYc6v9XfyMw/Oo+Ar3Oh7/zd9rgJeKoYSs0gsxTKx jDPVDS57nlswGnsKyXRTk15nTdNHtKulNd+a3kK50ObydLDt7Ged5LdZ1ONrlm0j A/fBT8UqBOG2tSUXWJQxttxTAOl3u3SZrv1soGxKylsIEOePbQ2NNnCIkUHLAUNu 8iwJWDjQG3D8pLkpT+U5wJFstKLp8o12T2nYJh8oRON4u5NZbKd4E2gbdgxWmIS3 IcEK6HLHValSb4rXkJL/w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfeegfedgvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkgggtugfgjgesthekredttddtjeenucfhrhhomheptehlvhgr rhhoucfjvghrrhgvrhgruceorghlvhhhvghrrhgvsegrlhhvhhdrnhhoqdhiphdrohhrgh eqnecuggftrfgrthhtvghrnhepvdektdffudfftdffffehfffhjeejhffgieeuueekjeek fffgudffhfduffffueevnecuffhomhgrihhnpegvnhhtvghrphhrihhsvggusgdrtghomh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhhv hhgvrhhrvgesrghlvhhhrdhnohdqihhprdhorhhg X-ME-Proxy: Feedback-ID: ia2694551:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 25 Jun 2024 06:12:36 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alvh.no-ip.org; s=schmee; t=1719310353; bh=NxLXmPw4EURfJ5CPdAhiioCqQVUSplC6HbFgdHUJnKI=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=YzxdTuQjfrntvmJ2tJ6WvL6uIr5MzSGXf2TaE9EsIxC5KjxbCswck4lfzgjvFyJU0 G+0uKuDrdUnH7yP71Yf6m0UhX/BEcFRHpT4A6rB7gfM7OTxT5kvftgdYFpwvVKoqwB FDf7++vilDXI2k//yUG6K8pbqJqBdJpL/dHTLoL86axt7wErKEPA2uH2Qez5MLVODp hPoLYMaWssa4OMycIIzDqMkhgbV2q+azvTfPc8yscOl198pkmYZZaewjZ4xj6lCL1N 0xXEhl2TThQI4DW8dA1Fil8rCbYUsMrECOUWnix0yq1gUn5iQXhYLCiOUi2RUrDPAJ MVmMepsBrXujg== Received: by schmee.alvh.no-ip.org (Postfix, from userid 1000) id EA070527; Tue, 25 Jun 2024 03:12:33 -0700 (PDT) Date: Tue, 25 Jun 2024 12:12:33 +0200 From: Alvaro Herrera To: Robert Haas Cc: "David E. Wheeler" , PostgreSQL-development Subject: Re: RFC: Additional Directory for Extensions Message-ID: <202406251012.brdp2dobkf7n@alvherre.pgsql> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2024-Jun-24, Robert Haas wrote: > Is "tighten up what the superuser can do" on our list of objectives? > Personally, I think we should be focusing mostly, and maybe entirely, > on letting non-superusers do more things, with appropriate security > controls. The superuser can ultimately do anything, since they can > cause shell commands to be run and load arbitrary code into the > backend and write code in untrusted procedural languages and mutilate > the system catalogs and lots of other terrible things. I don't agree that we should focus _solely_ on allowing non-superusers to do more things. Sure, it's a good thing to do -- but we shouldn't completely close the option of securing superuser itself. I think it's not completely impossible to have a future where superuser is just so within the database, i.e. that it can't escape to the operating system. I'm sure that would be useful in many environments. On this list, many people frequently make the argument that it is impossible to secure, but I'm not convinced. They can mutilate the system catalogs: yes, they can TRUNCATE pg_type. So what? They've just destroyed their own ability to do anything else. The real issue here is that they can edit pg_proc to cause SQL function calls to call arbitrary code. But what if we limit functions so that the C code that they can call is located in specific places that are known to only contain secure code? This is easy: make sure the OS-installation only contains safe code in $libdir. I hear you say: ah, but they can modify dynamic_library_path, which is a GUC, to load code from anywhere -- especially /tmp, where the newest bitcoin-mining library was just written. This is true. I suggest, to solve this problem, that we should make dynamic_library_path no longer a GUC. It should be a setting that comes from a different origin, one that even superuser cannot write to. Only the OS-installation can modify that file; that way, superuser cannot load arbitrary code that way. This is where the new GUC setting being proposed in this thread rubs me the wrong way: it's adding yet another avenue for this to be exploited. I would like this new directory not to be a GUC either, just like dynamic_library_path. I hear you argue: ah, but they can use COPY to write a new file to $libdir. Yes, they can, and I think that's foolish. We could have another non-GUC setting which takes a list of directories where COPY can write files into. Problem solved. Do people really need the ability to write files on arbitrary locations? Untrusted extensions: well, just don't have those in the OS-installation and you'll be fine. I'm okay with saying that a superuser-restricted system is incompatible with plpython. archive_command and so on: we could disable these too. Nathan did some work to implement those using dynamic libraries, so it shouldn't be too much of a loss; anything that is done with a shell script can also be done with a small library. Those libraries can be made safe. If there are other ways to invoke shell commands from GUCs, let's add the ability to use libraries for those too. What other exploits do we know about? How can we close them? Now, I'm not saying that this is an easy journey. But if we don't start, we're not going to get there. -- Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/ "Doing what he did amounts to sticking his fingers under the hood of the implementation; if he gets his fingers burnt, it's his problem." (Tom Lane)