PGCon2010 - Final Release III

PGCon 2010
The PostgreSQL Conference

KaiGai Kohei
Day Talks - 1 - 2010-05-20
Room DMS 1140
Start time 15:00
Duration 01:00
ID 217
Event type Lecture
Track Advanced Features
Language used for presentation English


A secure web-application stack using SE-PostgreSQL

Nowadays, many web applications are closely combined with database systems, using the database to provide various kinds of dynamic content. In these environments, you cannot just focus on individual applications, databases and the operating systems. You need to consider the whole system.

This session describes why you should apply consistent and centralized access control policy, how SE-PostgreSQL can be utilized to improve web application security, and shows a working example of the stack named as LAPP/SELinux.

There are two major issues in web application security that can be improved by using an approach like LAPP/SELinux.

In most cases, a web-system consists of multiple layers called a stack, such as LAPP, and each layer of the stack has its own individual access control facilities. It is hard to maintain each of them to always apply consistent access control decisions without a centralized reference. SE-PostgreSQL applies its own access controls based on the SELinux security policy, in addition to the default PG privilege checks. Those policies are also applied on access attempts to the filesystem and other OS resources, so you will always see consistent access control decisions across the system.

Another issue is the privileges of web application instances. When these are launched by a web server, they inherit the privileges of the server process. That makes it hard to enforce meaningful access controls, because the OS and DB cannot distinguish among individual users. This leaves you very exposed to bugs and vulnerabilities in your web applications. The Apache/SELinux plus module launches web application instances with individual privileges based on http authentication. Unlike application level checks, these are always applied prior to invocation of the web application, so you can't bypass them. Then when the application requests resources from the OS and DB, they can make their access control decisions based on the privileges assigned.

We call this stack LAPP/SELinux. It enables web applications to run with the minimal privilege set appropriate for individual users/groups.

We assume audiences are interested in security issues and have basic knowledge of access controls. We do not expect any previous knowledge of SELinux.