@cynicalsecurity oh? Heh. A friend of mine involved with upstream asked me if i knew of anything, so i tossed it over the wall to social media.
@cynicalsecurity @phessler The recent pledge problem with fossil, caused by sqlite having behaviour that even Dr Hipp didn't account for, should serve as a warning 😰
@cb @cynicalsecurity i think the warning is "properly test" instead of "don't do it".
Upstreaming the code and getting them to also review it can be helpful.
@phessler @cb I'm wondering if capabilities is the correct approach for securing a database to be honest.
An attack against a database is either to its data (and capabilities there are useless) or via the accesses it has (and there I can see a use by limiting what the database has access to).
In 2018 I would posit that one attacks databases for the data not for the access.
@cynicalsecurity @cb While I do agree with you, there is very little about that we can do as the OS or the packager.
Both the database daemon and the client program, process data and have access to other parts of the system that may be considered sensitive.
Upstream has an interest in this as well, so a redesign of internals can happen if needed.
Also, we *did* pledge our bgp daemon ;).
@phessler @cb nothing counts until you pledge systemd! ;)
I can see how you might want to enforce capabilities to limit system access by the database but I do have to wonder how much you can really do. For example databases often have their own dedicated partitions - this means access to pretty low-level syscalls to get in.
A standard Postgres install would probably be ok with pledge being used to limit its access although I still wonder how doable it is. Client I can believe, server mmh.
@cynicalsecurity @phessler do you mean 2nd Quadrant?
@gaunilone @phessler yes, sorry, I always get the quadrant wrong. One of those company names where you remember half of it and the other half has a 25% chance of being correct.
@phessler what am pledge
@mcandre Here's a presentation from Theo "Pledge and Privsep"
slides: https://www.openbsd.org/papers/eurobsdcon2017-pledge.pdf
@phessler it is also beyond the ability of probably three people on the planet… have you tried asking 4th Quadrant? Seriously, #pledge on a database is as complex as trying to put together a *real* SELinux or systrace policy for #postgres.