Authorization, Database Security

Transcription

1 Authorization, Database Security FCDB 10.1 Dr. Chris Mayfield Department of Computer Science James Madison University Mar 26, 2018

2 Database security 101 Access control, users/groups Views (for limiting access) Encryption (e.g., passwords) Denial of service attacks Fault tolerance (hot standby) Privacy of user s information Audit trail (using triggers?) Inside Logo.svg Mar 26, 2018 Authorization, Database Security 2 of 18

3 Privileges POSIX file system: {User, Group, Other} may {4=Read, 2=Write, 1=Execute} Example: chmod 755 myfile.txt SQL database: SELECT, INSERT, UPDATE, DELETE TRUNCATE, REFERENCES, TRIGGER CREATE, CONNECT, TEMPORARY EXECUTE, USAGE, ALL PRIVILEGES Mar 26, 2018 Authorization, Database Security 3 of 18

4 Granting privileges GRANT <privilege list> ON <database element> TO <user list> GRANT SELECT, INSERT ON Studio TO kirk, picard WITH GRANT OPTION; PostgreSQL syntax is slightly different from the book GRANT SELECT (title), UPDATE (title) ON movies TO sisko; Easy way to give everyone read access GRANT SELECT ON ALL TABLES IN SCHEMA public TO public; Mar 26, 2018 Authorization, Database Security 4 of 18

5 Grant diagrams Directed graph Nodes = user and privilege ** = owner of element * = with grant option Edges = who granted privilege Fundamental rule User C has privilege P if and only if: Path from XQ to CP, CP, or CP X is the owner and Q P (superprivilege) Remember that P could be Q, and X could be C Superusers and object owners have all privileges Mar 26, 2018 Authorization, Database Security 5 of 18

6 Example grant diagram A owns the object for which P is a privilege User A: GRANT P TO B WITH GRANT OPTION; User B: GRANT P TO C WITH GRANT OPTION; User A: GRANT P TO C; Mar 26, 2018 Authorization, Database Security 6 of 18

7 Example revoke cascade User A: REVOKE P FROM B CASCADE; Both B and C lose P However, C still has P Mar 26, 2018 Authorization, Database Security 7 of 18

8 Revoking privileges REVOKE <privilege list> ON <database element> FROM <user list> [ CASCADE RESTRICT ] Note: RESTRICT by default Cannot revoke if has any dependent privileges REVOKE SELECT, INSERT ON Studio FROM picard CASCADE; -- PostgreSQL has additional options REVOKE ALL PRIVILEGES ON Studio FROM picard; See practice problems on page 436 Mar 26, 2018 Authorization, Database Security 8 of 18

9 Creating initial privileges How I created your databases: CREATE USER mayfiecs PASSWORD ' '; CREATE DATABASE mayfiecs OWNER = mayfiecs; REVOKE ALL ON DATABASE mayfiecs FROM public; And made postgres DB read-only: REVOKE CREATE ON DATABASE postgres FROM public; REVOKE TEMP ON DATABASE postgres FROM public; -- connect to the postgres database first REVOKE CREATE ON SCHEMA public FROM public; Mar 26, 2018 Authorization, Database Security 9 of 18

10 Privilege-checking process Group roles: 1. Is the user the owner? 2. Is the object public? 3. Does the user have access? CREATE ROLE absent; -- NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION -- each user has a set of authorization IDs GRANT absent TO mayfiecs; Super users: CREATE ROLE postgres LOGIN SUPERUSER INHERIT CREATEDB CREATEROLE REPLICATION; Mar 26, 2018 Authorization, Database Security 10 of 18

11 SQL Injection Why is this still a problem?

12 Exploits of a Mom Mar 26, 2018 Authorization, Database Security 12 of 18

13 Traffic cameras? Mar 26, 2018 Authorization, Database Security 13 of 18

14 Other examples NEVER CONCATENATE USER INPUT! String sql = " SELECT * FROM users \ n" + " WHERE name = '" + username + " ';" Hello, my name is: OR 1 = 1 SELECT * FROM users WHERE name = '' OR '1'='1'; Or, my password is: OR 1=1;-- SELECT * FROM users WHERE name = '' OR 1=1;--'; Little Bobby Tables: ; DROP TABLE users;-- SELECT * FROM users WHERE name = ''; DROP TABLE users;--'; Mar 26, 2018 Authorization, Database Security 14 of 18

15 SQL injection attacks Adding or modifying data Denial of service Privilege escalation Bypassing authentication Evading detection Executing remote commands Extracting data Identifying injectable parameters Inferring sensitive information injection Mar 26, 2018 Authorization, Database Security 15 of 18

16 How to prevent attacks Your application should: Validate all user input Use parameter substitution (i.e., PreparedStatement) Use stored procedures (SQL functions, views) Your user account should: Have minimal privileges Create application-specific user accounts Never use admin account for applications! Your db server should: Be separate from your web/app servers Install security patches when released Mar 26, 2018 Authorization, Database Security 16 of 18

17 REMEMBER Don t make any assumptions about user input! String div_num = request.getparameter("div_num");