Laurenz Albe wrote: > On Wed, 2020-06-17 at 13:23 -0700, Michel Pelletier wrote: > > In my extension pgsodium I'm defining a custom variable at startup to store a key: > > > > https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107 > > > > I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE, > > and a custom "no show" show hook that obscures the value. This idea was inspired from the > > pgcryptokey module from Bruce Momjian. > > > > The value cannot be shown either with SHOW or current_setting() and it does not appear in pg_settings. > > From what I can tell, the value is inaccessible from SQL, but I think it's worth asking > > the experts if there is some other demonstrable way, from SQL, that this value could be > > leaked even to a superuser. no sql level user should be able to see this value, only a C function, > > like the pgsodium_derive() from which to derive other keys, should be able to see it. > > I realize that someone with external process access can get the key, my goal is to prevent > > accessing it from SQL. > > > > Any thoughts on weaknesses to this approach would be welcome. Thanks! > > > > -Michel > > A superuser can access files and start programs on the server machine. > > A dedicated superuser may for example attach to PostgreSQL with a debugger > and read the value of the variable. > > And if that doesn't work, there may be other things to try. > > It is mostly useless to try to keep a superuser from doing anything that > the "postgres" operating system user can do. > > Yours, > Laurenz Albe But only mostly useless. :-) There are ways to limit the power of the superuser. On Linux, for instance, "sysctl kernel.yama.ptrace_scope=3" prevents tracing, debugging, and reading another process's memory, even by the superuser, and the only way to turn it off is via a (hopefully noticeable) reboot. And, if the keys aren't present on the server at boot time, and aren't fetched from their remote source (or read from a user) unless that yama setting is in place, then it will be very hard for a superuser to obtain the keys. If a remote source KMS is used, ideally, you'd also want it to cryptographically verify that its client hadn't been tampered with (somehow), or to not hand out the keys except for planned reboots. The point is that it's not useless to make things harder for a superuser. You might not stop a legitimate sitewide superuser whose family is being held hostage, but you can stop, or at least make things much more difficult, for a superuser process on a single host that is the result of a software vulnerability that wasn't nobbled by apparmor or selinux or grsecurity. cheers, raf
