[Maria-developers] Plugin security
Hi, I'm working on adding a plugin API (not exactly a storage engine API, rather an extension one) to TokuMX[1] and I'm looking for advice on security. The basic idea is fairly simple: a plugin is a shared library (we're only targeting Linux right now, by the way) that defines a symbol to bootstrap the loading of additional functionality. We have an admin-only command that calls dlopen and dlsym to load the plugin. I haven't read any of the MariaDB plugin code yet, so pointers to where to start reading would be appreciated. Apart from that, I'm just looking for any advice from you all about what to watch out for. My concerns break down into two main areas: 1. When loading a single plugin, what should I watch out for? The command itself is admin-only so calling it is protected, but what about an attacker that drops a malicious plugin in a directory earlier on the load path? What should I check about the permissions/owner of the library file and the directory in which it lives? Is erroring out on world-writable libraries enough? If my process is setuid, should I be more careful? What does Maria do here? 2. About plugin persistence/autoloading: I understand MariaDB has a system table that tracks which plugins are installed and automatically loads those on startup. I believe I can do the same thing in TokuMX and I can restrict access to that collection to the admin user. What does MariaDB store in that table and how does it use it? I could imagine storing the checksum of the installed plugin in the system table and verifying it before loading the plugin, but this seems rather draconian and it might make plugin upgrades too difficult. Does MariaDB verify the permissions of the data files that store this system table? I could imagine an attack where you would replace this system table with one that includes instructions to load your malicious plugin, while the server is offline. Again, how does MariaDB solve these problems? Another option is to autoload all libraries in some directory, and to just be very careful about the permissions of that directory, but this seems very hard to get totally right so I'm leaning away from it. [1]: http://www.tokutek.com/products/tokumx-for-mongodb -- Cheers, Leif
hi Leif! about your plugin... you will use mongodb (like a federate engine), or you will port the tokudb to mariadb (like a innodb engine)? i think the tokudb is being implemented today there's a MDEV in jira, for it at least (https://mariadb.atlassian.net/browse/MDEV-4507) i don't know about tokumx it's a engine to mongodb, or a query language (like a full text index)? about others doubts i don't know, must check with others users or run a test database
TokuMX is MongoDB but with the storage code completely replaced by the same fractal tree library that we use in TokuDB. The storage code integration is already done. What I'm asking about here is not storage related. I'm trying to add the ability to create plugins to load into the existing server. You could do the same thing with vanilla MongoDB. I just want to be able to load shared libs that add arbitrary functionality. Since MariaDB has done this, I'm looking for advice on how to load plugins securely. -- Cheers, Leif On Mon, Jul 29, 2013 at 11:44 AM, Roberto Spadim <roberto@spadim.com.br> wrote:
hi Leif! about your plugin... you will use mongodb (like a federate engine), or you will port the tokudb to mariadb (like a innodb engine)? i think the tokudb is being implemented today there's a MDEV in jira, for it at least (https://mariadb.atlassian.net/browse/MDEV-4507) i don't know about tokumx it's a engine to mongodb, or a query language (like a full text index)? about others doubts i don't know, must check with others users or run a test database
Hum, for what i know, mariadb share the same plugin api of mysql (i didn't found new plugins api at least) but about docs, here have some informations: http://dev.mysql.com/doc/refman/5.7/en/plugin-api.html it's 5.7, and mariadb is porting mysql 5.6 yet, maybe some features aren't enabled, but if you look mysql 5.5 i think it's fully portable, must check... the code from mysql to mariadb (plugins) is easly ported in most cases, sometimes you need to change var types but that was the 'biggest' change that i saw (in udf function in my case)
Hi Leif, 29.07.2013, в 19:13, Leif Walsh <leif.walsh@gmail.com> написал(а):
Hi,
I'm working on adding a plugin API (not exactly a storage engine API, rather an extension one) to TokuMX[1] and I'm looking for advice on security.
The basic idea is fairly simple: a plugin is a shared library (we're only targeting Linux right now, by the way) that defines a symbol to bootstrap the loading of additional functionality. We have an admin-only command that calls dlopen and dlsym to load the plugin.
I haven't read any of the MariaDB plugin code yet, so pointers to where to start reading would be appreciated. Apart from that, I'm just looking for any advice from you all about what to watch out for. My concerns break down into two main areas: Plugin loading functionality is mostly in sql/sql_plugin.cc. Plugin data types and declarations are in include/mysql, start with plugin.h.
1. When loading a single plugin, what should I watch out for? The command itself is admin-only so calling it is protected, but what about an attacker that drops a malicious plugin in a directory earlier on the load path? What should I check about the permissions/owner of the library file and the directory in which it lives? Is erroring out on world-writable libraries enough? If my process is setuid, should I be more careful? What does Maria do here?
MySQL/Maria doesn't do much wrt plugin load security. Just a few things on my mind: - installing/uninstalling plugins requires privilege - it won't load plugin from directories other than specified by --plugin-dir (check plugin name carefully for "..") - there is FORCE_PLUS_PERMANENT plugin option, which forbids plugin deinstallation at all (originally was intended for audit plugins) We could probably save shared object checksum (or even better subscribe plugins) to detect library replacement, but we do not do it yet.
2. About plugin persistence/autoloading: I understand MariaDB has a system table that tracks which plugins are installed and automatically loads those on startup. I believe I can do the same thing in TokuMX and I can restrict access to that collection to the admin user. What does MariaDB store in that table and how does it use it? I could imagine storing the checksum of the installed plugin in the system table and verifying it before loading the plugin, but this seems rather draconian and it might make plugin upgrades too difficult. Does MariaDB verify the permissions of the data files that store this system table? I could imagine an attack where you would replace this system table with one that includes instructions to load your malicious plugin, while the server is offline. Again, how does MariaDB solve these problems? Another option is to autoload all libraries in some directory, and to just be very careful about the permissions of that directory, but this seems very hard to get totally right so I'm leaning away from it.
Check mysql.plugin table. To my knowledge neither MySQL nor MariaDB verify shared object permissions. As well as I'm not aware of any extra protection of system tables, except for proper file permissions of course. Regards, Sergey
[1]: http://www.tokutek.com/products/tokumx-for-mongodb -- Cheers, Leif _______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
Big thanks to Serge{i,y} for these suggestions. They helped me nail down what we're going to to.
For the record, we'll only load at startup plugins listed on the command line or config file, and these must come with a checksum or an explicit declaration that you don't want the checksum validation. We'll have an admin only command as well, but it doesn't persist the load request anywhere. And we'll only accept plugins from one directory, and it can't contain "..".
If anyone thinks of other issues and shares them with me, I'll appreciate it.
--
Cheers,
Leif
On Mon, Jul 29, 2013 at 1:44 PM, Sergey Vojtovich <svoj@mariadb.org>
wrote:
> Hi Leif,
> 29.07.2013, в 19:13, Leif Walsh <leif.walsh@gmail.com> написал(а):
>> Hi,
>>
>> I'm working on adding a plugin API (not exactly a storage engine API, rather an extension one) to TokuMX[1] and I'm looking for advice on security.
>>
>> The basic idea is fairly simple: a plugin is a shared library (we're only targeting Linux right now, by the way) that defines a symbol to bootstrap the loading of additional functionality. We have an admin-only command that calls dlopen and dlsym to load the plugin.
>>
>> I haven't read any of the MariaDB plugin code yet, so pointers to where to start reading would be appreciated. Apart from that, I'm just looking for any advice from you all about what to watch out for. My concerns break down into two main areas:
> Plugin loading functionality is mostly in sql/sql_plugin.cc. Plugin data types and declarations are in include/mysql, start with plugin.h.
>>
>> 1. When loading a single plugin, what should I watch out for? The command itself is admin-only so calling it is protected, but what about an attacker that drops a malicious plugin in a directory earlier on the load path? What should I check about the permissions/owner of the library file and the directory in which it lives? Is erroring out on world-writable libraries enough? If my process is setuid, should I be more careful? What does Maria do here?
> MySQL/Maria doesn't do much wrt plugin load security. Just a few things on my mind:
> - installing/uninstalling plugins requires privilege
> - it won't load plugin from directories other than specified by --plugin-dir (check plugin name carefully for "..")
> - there is FORCE_PLUS_PERMANENT plugin option, which forbids plugin deinstallation at all (originally was intended for audit plugins)
> We could probably save shared object checksum (or even better subscribe plugins) to detect library replacement, but we do not do it yet.
>>
>> 2. About plugin persistence/autoloading: I understand MariaDB has a system table that tracks which plugins are installed and automatically loads those on startup. I believe I can do the same thing in TokuMX and I can restrict access to that collection to the admin user. What does MariaDB store in that table and how does it use it? I could imagine storing the checksum of the installed plugin in the system table and verifying it before loading the plugin, but this seems rather draconian and it might make plugin upgrades too difficult. Does MariaDB verify the permissions of the data files that store this system table? I could imagine an attack where you would replace this system table with one that includes instructions to load your malicious plugin, while the server is offline. Again, how does MariaDB solve these problems? Another option is to autoload all libraries in some directory, and to just be very careful about the permissions of that directory, but this seems very hard to get totally right so I'm leaning away from it.
> Check mysql.plugin table. To my knowledge neither MySQL nor MariaDB verify shared object permissions. As well as I'm not aware of any extra protection of system tables, except for proper file permissions of course.
> Regards,
> Sergey
>>
>> [1]: http://www.tokutek.com/products/tokumx-for-mongodb
>> --
>> Cheers,
>> Leif
>> _______________________________________________
>> Mailing list: https://launchpad.net/~maria-developers
>> Post to : maria-developers@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~maria-developers
>> More help : https://help.launchpad.net/ListHelp
participants (3)
-
Leif Walsh -
Roberto Spadim -
Sergey Vojtovich