Big thanks to Serge{i,y} for these suggestions. They helped me nail down what we're going to to. 

For the record, we'll only load at startup plugins listed on the command line or config file, and these must come with a checksum or an explicit declaration that you don't want the checksum validation. We'll have an admin only command as well, but it doesn't persist the load request anywhere. And we'll only accept plugins from one directory, and it can't contain "..".

If anyone thinks of other issues and shares them with me, I'll appreciate it. 
--
Cheers,
Leif


On Mon, Jul 29, 2013 at 1:44 PM, Sergey Vojtovich <svoj@mariadb.org> wrote:

Hi Leif,

29.07.2013, в 19:13, Leif Walsh <leif.walsh@gmail.com> написал(а):

> Hi,
>
> I'm working on adding a plugin API (not exactly a storage engine API, rather an extension one) to TokuMX[1] and I'm looking for advice on security.
>
> The basic idea is fairly simple: a plugin is a shared library (we're only targeting Linux right now, by the way) that defines a symbol to bootstrap the loading of additional functionality. We have an admin-only command that calls dlopen and dlsym to load the plugin.
>
> I haven't read any of the MariaDB plugin code yet, so pointers to where to start reading would be appreciated. Apart from that, I'm just looking for any advice from you all about what to watch out for. My concerns break down into two main areas:
Plugin loading functionality is mostly in sql/sql_plugin.cc. Plugin data types and declarations are in include/mysql, start with plugin.h.

>
> 1. When loading a single plugin, what should I watch out for? The command itself is admin-only so calling it is protected, but what about an attacker that drops a malicious plugin in a directory earlier on the load path? What should I check about the permissions/owner of the library file and the directory in which it lives? Is erroring out on world-writable libraries enough? If my process is setuid, should I be more careful? What does Maria do here?
MySQL/Maria doesn't do much wrt plugin load security. Just a few things on my mind:
- installing/uninstalling plugins requires privilege
- it won't load plugin from directories other than specified by --plugin-dir (check plugin name carefully for "..")
- there is FORCE_PLUS_PERMANENT plugin option, which forbids plugin deinstallation at all (originally was intended for audit plugins)

We could probably save shared object checksum (or even better subscribe plugins) to detect library replacement, but we do not do it yet.

>
> 2. About plugin persistence/autoloading: I understand MariaDB has a system table that tracks which plugins are installed and automatically loads those on startup. I believe I can do the same thing in TokuMX and I can restrict access to that collection to the admin user. What does MariaDB store in that table and how does it use it? I could imagine storing the checksum of the installed plugin in the system table and verifying it before loading the plugin, but this seems rather draconian and it might make plugin upgrades too difficult. Does MariaDB verify the permissions of the data files that store this system table? I could imagine an attack where you would replace this system table with one that includes instructions to load your malicious plugin, while the server is offline. Again, how does MariaDB solve these problems? Another option is to autoload all libraries in some directory, and to just be very careful about the permissions of that directory, but this seems very hard to get totally right so I'm leaning away from it.
Check mysql.plugin table. To my knowledge neither MySQL nor MariaDB verify shared object permissions. As well as I'm not aware of any extra protection of system tables, except for proper file permissions of course.

Regards,
Sergey

>
> [1]: http://www.tokutek.com/products/tokumx-for-mongodb
> --
> Cheers,
> Leif
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-developers
> Post to : maria-developers@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~maria-developers
> More help : https://help.launchpad.net/ListHelp