Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. DBMail>
  3. dev
dbmail SQL structure, SCHEMA support, SQL injection
jmpoure at gooze
May 28, 2014, 4:35 AM
Post #1 of 11 (4489 views)
Permalink
Dear all,

First, I would like to congratulate you for working several years on
dbmail. After fetching source code from GIThub, I could count 46682
lines code in src and 152170 in total. Not bad!

For years, I have been looking for a reliable mail server relying on SQL
(i.e. PostgreSQL in my case) and I am happy I probably found it.

I would like to participate in coding and I have some questions.

Here are some questions:

1) SQL Table structure

Are there reasons for splitting the message table into several
sub-tables.

For example: dbmail_messages and dbmail_physmessage and
dbmail_messageblks

CREATE TABLE dbmail_messages
(
message_idnr bigint NOT NULL DEFAULT
nextval('dbmail_message_idnr_seq'::regclass),
mailbox_idnr bigint,
physmessage_id bigint,
seen_flag smallint NOT NULL DEFAULT 0::smallint,
answered_flag smallint NOT NULL DEFAULT 0::smallint,
deleted_flag smallint NOT NULL DEFAULT 0::smallint,
flagged_flag smallint NOT NULL DEFAULT 0::smallint,
recent_flag smallint NOT NULL DEFAULT 0::smallint,
draft_flag smallint NOT NULL DEFAULT 0::smallint,
unique_id character varying(70) NOT NULL,
status smallint NOT NULL DEFAULT 0::smallint,
CONSTRAINT dbmail_messages_pkey PRIMARY KEY (message_idnr),
CONSTRAINT dbmail_messages_mailbox_idnr_fkey FOREIGN KEY
(mailbox_idnr)
REFERENCES dbmail_mailboxes (mailbox_idnr) MATCH SIMPLE
ON UPDATE CASCADE ON DELETE CASCADE,
CONSTRAINT dbmail_messages_physmessage_id_fkey FOREIGN KEY
(physmessage_id)
REFERENCES dbmail_physmessage (id) MATCH SIMPLE
ON UPDATE CASCADE ON DELETE CASCADE
)
WITH (
OIDS=FALSE
);

and

CREATE TABLE dbmail_physmessage
(
id bigint NOT NULL DEFAULT
nextval('dbmail_physmessage_id_seq'::regclass),
messagesize bigint NOT NULL DEFAULT 0::bigint,
rfcsize bigint NOT NULL DEFAULT 0::bigint,
internal_date timestamp without time zone,
CONSTRAINT dbmail_physmessage_pkey PRIMARY KEY (id)
)
WITH (
OIDS=FALSE
);
ALTER TABLE dbmail_physmessage
OWNER TO dbmail;

and

CREATE TABLE dbmail_messageblks
(
messageblk_idnr bigint NOT NULL DEFAULT
nextval('dbmail_messageblk_idnr_seq'::regclass),
physmessage_id bigint,
messageblk bytea NOT NULL,
blocksize bigint NOT NULL DEFAULT 0::bigint,
is_header smallint NOT NULL DEFAULT 0::smallint,
CONSTRAINT dbmail_messageblks_pkey PRIMARY KEY (messageblk_idnr),
CONSTRAINT dbmail_messageblks_physmessage_id_fkey FOREIGN KEY
(physmessage_id)
REFERENCES dbmail_physmessage (id) MATCH SIMPLE
ON UPDATE CASCADE ON DELETE CASCADE
)
WITH (
OIDS=FALSE
);
ALTER TABLE dbmail_messageblks
OWNER TO dbmail;

The only reasons I see for separating those tables would be storing them
in different tablespaces. But even this is questionable.

I am worried that this kind of separation might result on sequential
scans instead of memory and index scans. A JOIN without a reason is
always an expansive CPU task. Each row needs several CPU cycles.

Under modern systems like PostgreSQL, it seems more interesting to have
a single table with advanced indexing: partial indexes and/or full-text
seach (FTS) and/or materialized views. These indexes can be placed on a
different tablespace, i.e. an SSD drive. Rebuilding FTS happens in
background, so that inserts are fast. This is a much modern approach
that splitting a table in three.

Also, I am worried that running a lot of LEFT JOINs in the database
might open security breaches. This is the second issue also.

2) Privilege separation

I read the post on the WIKI with interest and would like to add this
information:

PostgreSQL supports CREATE SCHEMA:
http://www.postgresql.org/docs/9.4/static/sql-createschema.html

CREATE SCHEMA is compatible with the prefix of tables. But it is more
powerful as we can restrict a connection to a schema.

When connecting, you may restrict to a schema:
set search_path to 'schema'

You may also "glue" a user to a specific schema:
ALTER USER user_name SET search_path to 'schema'

Using schemas, it may be possible to create as many database structures
using an imap identifier (john@doe.fr).

This is to prevent the scope of any SQL injection and limit it to the
sole account of the user.

3) Database performance / SQL injection

Could you point me to any filter against database injection in the
source code. Where is it located in source code?

4) Performance / memory usage

I found this kind of code in dm_mailbox.c

c = db_con_get();
TRY
stmt = db_stmt_prepare(c,
"SELECT id,message_idnr FROM %sphysmessage p "
"LEFT JOIN %smessages m ON p.id=m.physmessage_id "
"LEFT JOIN %smailboxes b ON b.mailbox_idnr=m.mailbox_idnr "
"WHERE b.mailbox_idnr=? ORDER BY message_idnr",
DBPFX,DBPFX,DBPFX);
db_stmt_set_u64(stmt, 1, self->id);
r = db_stmt_query(stmt);

OK, this is only a prepare statement ... but

as I receive logs using mail, some of my mailboxes usually have more
than 100.000 message. I

This query results in a huge sequential scan, followed by an ORDER BY
statement and then is transferred to memory. I did not test with EXPLAIN
ANALYSE but it must be very CPU and memory expansive to run.

ids = p_list_new(self->pool);
while (db_result_next(r)) {
physid = db_result_get_u64(r,0);
msgid = db_result_get_u64(r,1);
if (g_tree_lookup(uids,&msgid)) {
id = mempool_pop(self->pool, sizeof(uint64_t));
*id = physid;
ids = p_list_append(ids,id);
}
}

For performance, there should be more LIMIT and OFFSET statements to
trim recordsets and avoid filling memory.

***

IMHO , DBmail is not usable in production:

I am worried that it contains source code that allows SQL injection and
gives access to all messages at once. Without SCHEMA support I will
probably not install DBmail.

Would you welcome a discussion followed by a patch/review for PostgreSQL
to make it work using SCHEMAs? It should not alter table structure.

Would you welcome a SCHEMA patch? What are your recommendations and
guidelines?

Kind regards,
Kellogs

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
paul at nfg
May 28, 2014, 10:39 AM
Post #2 of 11 (4414 views)
Permalink
On 28-05-14 13:35, Jean-Michel Pouré - GOOZE wrote:
> Are there reasons for splitting the message table into several
> sub-tables.

Lightweight copying of messages, ability to link messages to multiple
mailboxes.

>
> For example: dbmail_messages and dbmail_physmessage and
> dbmail_messageblks

messageblks is not used anymore. Message are now decomposed into
mime-parts and those are stored de-duplicated in mimeparts.

> CREATE TABLE dbmail_messages

dbmail_messages contains only meta-data (flags) specific to a mailbox
context.

> CREATE TABLE dbmail_physmessage

is a link table with some meta-data (sizes and date) that are
independent of the mailbox or owner.

> The only reasons I see for separating those tables would be storing them
> in different tablespaces. But even this is questionable.

You misunderstand.

> I am worried that this kind of separation might result on sequential
> scans instead of memory and index scans. A JOIN without a reason is
> always an expansive CPU task. Each row needs several CPU cycles.

JOINS are unavoidable in a highly normalized schema. If you know a
better way to retrieve the same information, please share.

>
> Under modern systems like PostgreSQL, it seems more interesting to have
> a single table with advanced indexing: partial indexes and/or full-text
> seach (FTS) and/or materialized views. These indexes can be placed on a
> different tablespace, i.e. an SSD drive. Rebuilding FTS happens in
> background, so that inserts are fast. This is a much modern approach
> that splitting a table in three.

FTS is not supported. DBMail works on multiple DBMS systems (mysql,
postgresql, sqlite and oracle). FTS is non-standard. I've been thinking
about a SOLR or ELK solution, but nothing has come of it so far.

> Also, I am worried that running a lot of LEFT JOINs in the database
> might open security breaches. This is the second issue also.

Security issues from JOINs?? what are you talking about?

> 2) Privilege separation
>
> I read the post on the WIKI with interest and would like to add this
> information:

what post is that?

>
> PostgreSQL supports CREATE SCHEMA:
> http://www.postgresql.org/docs/9.4/static/sql-createschema.html
>
> CREATE SCHEMA is compatible with the prefix of tables. But it is more
> powerful as we can restrict a connection to a schema.
>
> When connecting, you may restrict to a schema:
> set search_path to 'schema'
>
> You may also "glue" a user to a specific schema:
> ALTER USER user_name SET search_path to 'schema'

Eh, the only user connecting to the database is the user specified in
the dbmail.conf file. Also, running the dbmail schema inside a
non-dedicated database is not standard. Allowing other users to connect
is not supported for the reasons you describe.

> Using schemas, it may be possible to create as many database structures
> using an imap identifier (john@doe.fr).

Ok. Sounds cool. But can you still share some tables? Like the main
message store?

>
> This is to prevent the scope of any SQL injection and limit it to the
> sole account of the user.

SQL injection is DBMail will be very, very hard, if at all possible. All
queries that contain user generated values run as prepared statements. I
really don't think that much of an issue. Being able to drop privileges
to the imap user could be very useful for some use-cases. I'm not sure
which - but it sounds cool.

>
> 3) Database performance / SQL injection
>
> Could you point me to any filter against database injection in the
> source code. Where is it located in source code?

That is not needed, as far as I know. Prepared statements dominate, and
plain queries are only used where the parameters are internally
generated from trusted values like integers.

> 4) Performance / memory usage
>
> I found this kind of code in dm_mailbox.c
>

[snip]

> IMHO , DBmail is not usable in production:

Well, that is not what I hear from users, some of whom are running some
pretty massive installations.


> I am worried that it contains source code that allows SQL injection and
> gives access to all messages at once. Without SCHEMA support I will
> probably not install DBmail.

Your worry is misguided in this respect. Talking about SQL injection
without proof is pure FUD. This is not some crappy PHP wordpress module :-)

> Would you welcome a discussion followed by a patch/review for PostgreSQL
> to make it work using SCHEMAs? It should not alter table structure.
>
> Would you welcome a SCHEMA patch? What are your recommendations and
> guidelines?

Patches and discussions are always welcome. I know a thing or two, but
some others will always know more, especially about optimizing queries.

As to guidelines:

Try not to introduce new coding styles.

Make sure all tests run:

cd jenkins; make test

this will run all known tests agains postgresql and mysql backends.

Patches that break compatibility with the supported systems I mentioned
can not be merged.

If it requires a schema migration, a migration for all systems is
required. Only exception is Oracle, since that is not readily available.
There is a small framework in place for those in the master branch. It's
not yet documented so I'll have to explain it if and when.


--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
jmpoure at gooze
May 28, 2014, 4:20 PM
Post #3 of 11 (4411 views)
Permalink
Thank you for explanations.

> Lightweight copying of messages, ability to link messages to multiple
> mailboxes.
[...]
> JOINS are unavoidable in a highly normalized schema. If you know a
> better way to retrieve the same information, please share.

OK, I understand the logic now.

IMHO, it should not be allowed to link a single message to multiple
mailboxes. Because multiple mailboxes are read by different people. This
opens a possible security breach.

As far as I know, you are not reading someone else message because you
are in copy. The same should apply for DBMail.

> Security issues from JOINs?? what are you talking about?

This one in imapd.c:
p_string_printf(query, "SELECT m.message_idnr, n.headername,
v.headervalue%s "
"FROM %sheader h "
"LEFT JOIN %smessages m ON h.physmessage_id=m.physmessage_id "
"LEFT JOIN %sheadername n ON h.headername_id=n.id "
"LEFT JOIN %sheadervalue v ON h.headervalue_id=v.id "
"WHERE m.mailbox_idnr = %" PRIu64 " "
"AND m.message_idnr %s "
"AND n.headername %s IN ('%s') "
"ORDER BY message_idnr, seq",
not?"":fieldorder->str,
DBPFX, DBPFX, DBPFX, DBPFX,
self->mailbox->id, p_string_str(range),
not?"NOT":"", bodyfetch->hdrnames);

IF(?) someone is able to inject m.mailbox_idnr value using a modified
imap client, this query allows to read any emails in the database.

An SQL injection can happen when there is a security breach somewhere
else.

> > 2) Privilege separation
> >
> > I read the post on the WIKI with interest and would like to add this
> > information:
>
> what post is that?

http://www.dbmail.org/dokuwiki/doku.php/privsep

> >
> > PostgreSQL supports CREATE SCHEMA:
> > http://www.postgresql.org/docs/9.4/static/sql-createschema.html
> >
> > CREATE SCHEMA is compatible with the prefix of tables. But it is more
> > powerful as we can restrict a connection to a schema.
> >
> > When connecting, you may restrict to a schema:
> > set search_path to 'schema'
> >
> > You may also "glue" a user to a specific schema:
> > ALTER USER user_name SET search_path to 'schema'
>
> Eh, the only user connecting to the database is the user specified in
> the dbmail.conf file. Also, running the dbmail schema inside a
> non-dedicated database is not standard. Allowing other users to connect
> is not supported for the reasons you describe.

Why not change this and have:
* one DB user
* and one SCHEMA

> > Using schemas, it may be possible to create as many database structures
> > using an imap identifier (john@doe.fr).
>
> Ok. Sounds cool. But can you still share some tables? Like the main
> message store?

Again, I think sharing information between users is a security breach.

The main reasons why servers are getting hacked are (1) dns forgery (2)
email systems. Penetration of email systems are very painful as they
reveal secrets.

> > Could you point me to any filter against database injection in the
> > source code. Where is it located in source code?

It is very likely that some SQL injection is possible in the code. I did
not test or looked deeply, but since you dont' filter SQL statements AND
share tables between users, it is ***VERY*** likely.

> That is not needed, as far as I know. Prepared statements dominate, and
> plain queries are only used where the parameters are internally
> generated from trusted values like integers.

> Well, that is not what I hear from users, some of whom are running some
> pretty massive installations.

Some queries seem pretty intensive, like reading all messages and
transferring in memory. Should use LIMIT and OFFSET. This is not a
priority.

> Patches and discussions are always welcome. I know a thing or two, but
> some others will always know more, especially about optimizing queries.
>
> As to guidelines:
>
> Try not to introduce new coding styles.
>
> Make sure all tests run:
>
> cd jenkins; make test
>
> this will run all known tests agains postgresql and mysql backends.
>
> Patches that break compatibility with the supported systems I mentioned
> can not be merged.
>
> If it requires a schema migration, a migration for all systems is
> required. Only exception is Oracle, since that is not readily available.
> There is a small framework in place for those in the master branch. It's
> not yet documented so I'll have to explain it if and when.

OK, thanks it is clear and I agree.

I will first install DBmail as a copy of our Postfix server to build a
database and will then study the SQL logs and source code.

I am not sure whether mySQL supports schemas, for sure it can be
emulated using table prefix and proper ownership. By the way, I am not
very interested in MySQL, as the developer community is dead and MySQL
is non-standard and slow and low-featured (but always boasting to be the
best).

Kind regards,
Kellogs

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
paul at nfg
May 30, 2014, 10:57 AM
Post #4 of 11 (4399 views)
Permalink
On 29-05-14 01:20, Jean-Michel Pouré - GOOZE wrote:
> Thank you for explanations.
>
>> Lightweight copying of messages, ability to link messages to multiple
>> mailboxes.
> [...]
>> JOINS are unavoidable in a highly normalized schema. If you know a
>> better way to retrieve the same information, please share.
>
> OK, I understand the logic now.
>
> IMHO, it should not be allowed to link a single message to multiple
> mailboxes. Because multiple mailboxes are read by different people. This
> opens a possible security breach.

Sigh. You are giving opinions based on lack of information, talking
about security without providing the actual threat vector. There is no
security threat involved when a single rfc2822 message (a physmessage)
is references by multiple mailboxes owned by multiple users. Any
information that is pertinent to a mailbox is only accessible by the
owner of that mailbox - unless the mailbox is shared via an ACL
configuration.

>> Security issues from JOINs?? what are you talking about?
>
> This one in imapd.c:
> p_string_printf(query, "SELECT m.message_idnr, n.headername,
> v.headervalue%s "
> "FROM %sheader h"
> "LEFT JOIN %smessages m ON h.physmessage_id=m.physmessage_id"
> "LEFT JOIN %sheadername n ON h.headername_id=n.id"
> "LEFT JOIN %sheadervalue v ON h.headervalue_id=v.id"
> "WHERE m.mailbox_idnr = %" PRIu64 ""
> "AND m.message_idnr %s"
> "AND n.headername %s IN ('%s')"
> "ORDER BY message_idnr, seq",
> not?"":fieldorder->str,
> DBPFX, DBPFX, DBPFX, DBPFX,
> self->mailbox->id, p_string_str(range),
> not?"NOT":"", bodyfetch->hdrnames);
>
> IF(?) someone is able to inject m.mailbox_idnr value using a modified
> imap client, this query allows to read any emails in the database.

Of course. Earlier versions of dbmail added the owner_idnr into the mix
for that reason. But the mailbox_idnr in this case is trusted, making
such an additional join redundant.

The mailbox idnr value does not originate from the mail client. A
mailclient opens a mailbox by name (x select INBOX), and the dbmail imap
code then determines the mailbox idnr from there. The list of
headernames being matched against here is open for auditing. You might
be able to inject a colon there, but no spaces. Seems difficult to
construct a malicious query without spaces...

>
> An SQL injection can happen when there is a security breach somewhere
> else.

Sure. So? I did a full Coverity fixup earlier this year against the
master branch. Nothing major was uncovered. Lots of small cleanup. And
it would require a serious buffer overflow, stack trash or a similar
attack to inject malicious SQL, as far as I can tell. I'm not saying it
can't be done. But general assertions that DBMail is at risk without any
kind of proof, is plain FUD.

>
>>> 2) Privilege separation
>>>
>>> I read the post on the WIKI with interest and would like to add this
>>> information:
>>
>> what post is that?
>
> http://www.dbmail.org/dokuwiki/doku.php/privsep

Ah. I don't know who wrote that. The implications of such a change are
being underestimated, and benefits are vague and unclear - even in
security terms.

> Why not change this and have:
> * one DB user
> * and one SCHEMA
> => for each IMAP account?
>
>>> Using schemas, it may be possible to create as many database structures
>>> using an imap identifier (john@doe.fr).
>>
>> Ok. Sounds cool. But can you still share some tables? Like the main
>> message store?
>
> Again, I think sharing information between users is a security breach.

Shared mailboxes are a feature. And the mailstore is optimized for
de-duplicating content. Kind of like throwing out the baby with the
bath-water (a dutch saying, maybe?).

> The main reasons why servers are getting hacked are (1) dns forgery (2)
> email systems. Penetration of email systems are very painful as they
> reveal secrets.

Of course. Opening your mailbox and seeing someone else's email is not
pretty.

>
>>> Could you point me to any filter against database injection in the
>>> source code. Where is it located in source code?
>
> It is very likely that some SQL injection is possible in the code. I did
> not test or looked deeply, but since you dont' filter SQL statements AND
> share tables between users, it is ***VERY*** likely.

There is *nothing* to filter! End-users can not inject SQL, afaik. All
queries are either constructed as prepared statements, or constructed
from content from trusted (internal) sources.

> I am not sure whether mySQL supports schemas, for sure it can be
> emulated using table prefix and proper ownership. By the way, I am not
> very interested in MySQL, as the developer community is dead and MySQL
> is non-standard and slow and low-featured (but always boasting to be the
> best).

MariaDB seems pretty alive and kicking. And the installed base of MySQL
is very impressive.

For the truly paranoid, it's trivial to run separate databases per user.
Just set up a database per user, use LDAP for central authentication,
and use some proxy like Perdition or nginx to connect to the right
database. You'll have to add user-based transports in SMTP, but once you
do that, you're all set. Of course, scalability sucks in such a setup.
But what the heck.


--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
jmpoure at gooze
May 30, 2014, 1:42 PM
Post #5 of 11 (4404 views)
Permalink
Le vendredi 30 mai 2014 à 19:57 +0200, Paul J Stevens a écrit :
> > p_string_printf(query, "SELECT m.message_idnr, n.headername,
> > v.headervalue%s "
> > "FROM %sheader h"
> > "LEFT JOIN %smessages m ON h.physmessage_id=m.physmessage_id"
> > "LEFT JOIN %sheadername n ON h.headername_id=n.id"
> > "LEFT JOIN %sheadervalue v ON h.headervalue_id=v.id"
> > "WHERE m.mailbox_idnr = %" PRIu64 ""
> > "AND m.message_idnr %s"
> > "AND n.headername %s IN ('%s')"
> > "ORDER BY message_idnr, seq",
> > not?"":fieldorder->str,
> > DBPFX, DBPFX, DBPFX, DBPFX,
> > self->mailbox->id, p_string_str(range),
> > not?"NOT":"", bodyfetch->hdrnames);

> Of course. Earlier versions of dbmail added the owner_idnr into the
> mix
> for that reason. But the mailbox_idnr in this case is trusted, making
> such an additional join redundant.

OK, let's talk about attack scenarios:
* dbmail is running on "mail" dedicated server.
* database is hosted on "db" a separate dedicated server.

A malicious rootkit is installed on "mail" and is able to modify memory
interactively (just like a gdb debugger, but no debugger is needed with
a rootkit). The attacker only needs to switch the few bits of
m.mailbox_idnr in the query. I have seen such rootkits. Such an attacker
would have access to all data and would be able to read ALL emails. I
know these are headers only, but it seems possible to read more if the
SQL query is modified interactively.

OKay, an attacker with a rootkit knows "db" password and has root
access.

Now, let's face a second situation, where the attacker has discovered a
leak in dbmail (or in the OS) and is able to change interactively these
few bits. The result would be the same.

Now, let's face a third situation where dbmail would only have access to
a limited schema, protected by a PostgreSQL user/password, as I
mentioned earlier. Even in case of a leak, the attacker would only be
able to read his own mail. In case of a rootkit, the main "db" password
is only known by administrator and the attacker only knows his own
password.

I don't want to mean that dbmail is broken in C code programming (it
seems well-written), but in database design, for sure. dbmail should run
only on a server with enhanced security, memory protection like grsec
patch and even that is not secure given that security is stuck into
dbmail and should rely more on PostrgeSQL (or MySQL).

The main modifications needed are:
* No sharing of emails. CC and BC should result in a copy in the
database.
* Database user level security relying on either schemas or table prefix
(which is the same).

Do you know whether MySQL supports schemas like PostgreSQL or Oracle do?
The problem with MySQL development is that at some point, you usually
bump on non-standard features and you are bound to support the worst
database in the world, an many people love it, so you have to emulate
what comes standard with PostgreSQL or Oracle. And in the end, you are
not even sure whether MySQL still exists as a community, as it is being
bought and sold all the time. i understand the rules of supporting
MySQL, but is there schema support on latest MySQL versions or do we
have to emulate that with table prefix?

Kind regards,
Kellogs


_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
jmpoure at gooze
May 30, 2014, 1:53 PM
Post #6 of 11 (4400 views)
Permalink
> For the truly paranoid, it's trivial to run separate databases per
> user.
> Just set up a database per user, use LDAP for central authentication,
> and use some proxy like Perdition or nginx to connect to the right
> database. You'll have to add user-based transports in SMTP, but once
> you
> do that, you're all set. Of course, scalability sucks in such a
> setup.
> But what the heck.

This is not being paranoïd. There are thousands of successful attacks
every day, so the event for a successful attack on a dbmail server (at
least at OS level) is very likely.

DBmail runs very large setups. Putting all security into dbmail and not
in the database is just attracting bees with honey. Furthermore, don't
expect admins to setup a complex proxy with 10.000 users and accounts,
when the database is broken by design. This is the job of the
developers, especially those announcing that dbmail is VERY secure, to
offer bullet-proof security, even in case of malicious attack using a
rootkit.

Kind regards,
Kellogs

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
paul at nfg
May 31, 2014, 3:15 AM
Post #7 of 11 (4397 views)
Permalink
On 30-05-14 22:42, Jean-Michel Pouré - GOOZE wrote:
> OK, let's talk about attack scenarios:

Now we're talking :-)

> OKay, an attacker with a rootkit knows "db" password and has root
> access.

Would that be prevented by putting a proxy like nginx in front of the
mail service, on an isolated vps or lxc container?

> Now, let's face a second situation, where the attacker has discovered a
> leak in dbmail (or in the OS) and is able to change interactively these
> few bits. The result would be the same.

Agreed. Though I think this might be remedied (at least partially) by
putting a proxy in front of dbmail, and running dbmail as a
non-privileged user on a high port. (Again, running dbmail on a
dedicated VPS or container).

Using a proxy would make it *much* harder to break into the dbmail host,
I suspect. But if you gain shell on the proxy, you can use that to break
into dbmail. It's not inconceivable, so let's assume it's possible.

> Now, let's face a third situation where dbmail would only have access to
> a limited schema, protected by a PostgreSQL user/password, as I
> mentioned earlier. Even in case of a leak, the attacker would only be
> able to read his own mail. In case of a rootkit, the main "db" password
> is only known by administrator and the attacker only knows his own
> password.

That would add only one additional layer. First you'd have to break the
proxy, next the dbmail host, and lastly the postgresql host.


> I don't want to mean that dbmail is broken in C code programming (it
> seems well-written), but in database design, for sure. dbmail should run
> only on a server with enhanced security, memory protection like grsec
> patch and even that is not secure given that security is stuck into
> dbmail and should rely more on PostrgeSQL (or MySQL).

Assuming those are more secure. Which is probably a safe assumption, but
still an assumption.

> The main modifications needed are:
> * No sharing of emails. CC and BC should result in a copy in the
> database.

Not much changes needed there since the shared noting storage is implied by:

> * Database user level security relying on either schemas or table prefix
> (which is the same).
>
> Do you know whether MySQL supports schemas like PostgreSQL or Oracle do?

I don't think MySQL or MariaDB support it. At least I can't find
anything related to it.

> The problem with MySQL development is that at some point, you usually
> bump on non-standard features and you are bound to support the worst
> database in the world, an many people love it, so you have to emulate
> what comes standard with PostgreSQL or Oracle. And in the end, you are
> not even sure whether MySQL still exists as a community, as it is being
> bought and sold all the time. i understand the rules of supporting
> MySQL, but is there schema support on latest MySQL versions or do we
> have to emulate that with table prefix?

It looks like it. With MariaDB there is some hope for full SQL-99
compliance, but I'm not holding my breath.




--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
paul at nfg
May 31, 2014, 3:17 AM
Post #8 of 11 (4403 views)
Permalink
On 30-05-14 22:53, Jean-Michel Pouré - GOOZE wrote:

> This is not being paranoïd. There are thousands of successful attacks
> every day, so the event for a successful attack on a dbmail server (at
> least at OS level) is very likely.

It is being paranoid. But probably rightly so.


--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
jmpoure at gooze
Jun 2, 2014, 6:07 AM
Post #9 of 11 (4388 views)
Permalink
Dear Paul,

> Agreed. Though I think this might be remedied (at least partially) by
> putting a proxy in front of dbmail, and running dbmail as a
> non-privileged user on a high port. (Again, running dbmail on a
> dedicated VPS or container).
>
> Using a proxy would make it *much* harder to break into the dbmail host,
> I suspect. But if you gain shell on the proxy, you can use that to break
> into dbmail. It's not inconceivable, so let's assume it's possible.

LXC is getting better every day.

> That would add only one additional layer. First you'd have to break the
> proxy, next the dbmail host, and lastly the postgresql host.

Indeed, the security layer should be in the database (i.e. schema), as
close as possible from where the data is stored.

This reduces the space for any attack to a minimum. If you add more
security layers like LXC or proxies, you probably widen the attack
space. LXC or a proxy will not stop an attacker from doing SQL
injections.

> It looks like it. With MariaDB there is some hope for full SQL-99
> compliance, but I'm not holding my breath.

SQL 99 is 15 years ago, so we can count that Schema is getting mature
and is NOT a fancy. So let's use them if MariaDB supports them.

It does, here it is:
https://mariadb.com/kb/en/create-schema-statement/

I will set up a testing host and enquire what needs to be done. The
beauty of Schemas is that VERY LITTLE coding is required. We only need a
schema name and table prefix. I think less than 500 lines of source code
are needed, not more.

The most difficult part is migrating the existing user base and changing
the delivery mechanism to handle CCs and BCs in separate mailboxes
without introducing new bugs.

Schema could also be used to improve some kind of legal backup
mechanism. In most countries like US and EU, mail has to be kept
untouched during a legal time. Using schema "foo" (R/W/D rights) and
"foo_backup" (Read-only) would improve DBmail. Depending on settings,
this would also allow users to retrieve old mail, but without any
possibility for modification. Simple and powerful.

Kind regards,
Kellogs

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
paul at nfg
Jun 8, 2014, 8:12 AM
Post #10 of 11 (4374 views)
Permalink
On 02-06-14 15:07, Jean-Michel Pouré - GOOZE wrote:

> LXC is getting better every day.

Yep, I'm all into docker these days.

> This reduces the space for any attack to a minimum. If you add more
> security layers like LXC or proxies, you probably widen the attack
> space. LXC or a proxy will not stop an attacker from doing SQL
> injections.

I tend to disagree there. You need to trigger a buffer-overflow or
something similar to trigger a SQL injection. Is that possible when
there's a proxy in front? You'd have to break the proxy first, I think.

> It does, here it is:
> https://mariadb.com/kb/en/create-schema-statement/

That page had me hoping for the same. But the disclaimer at the top
clearly states that this is about sql-99, not about mariadb. I checked
on my own mariadb installation, and it doesn't support create schema,
afaict.

> Schema could also be used to improve some kind of legal backup
> mechanism. In most countries like US and EU, mail has to be kept
> untouched during a legal time. Using schema "foo" (R/W/D rights) and
> "foo_backup" (Read-only) would improve DBmail. Depending on settings,
> this would also allow users to retrieve old mail, but without any
> possibility for modification. Simple and powerful.

People use dbmail for similar setups but doing a global BCC to a dbmail
setup that doesn't provide client access.


--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
Re: dbmail SQL structure, SCHEMA support, SQL injection [ In reply to ]
jmpoure at gooze
Jun 10, 2014, 2:28 PM
Post #11 of 11 (4371 views)
Permalink
> I tend to disagree there. You need to trigger a buffer-overflow or
> something similar to trigger a SQL injection. Is that possible when
> there's a proxy in front? You'd have to break the proxy first, I
> think.

The question is rather "what happens in case of buffer overflow" or
"what happens when a rootkit is used" or "what happens if the server is
not well-configured" or "what happens if Mallet is working in the
datacenter where where DBMAIL is hosted".

A proxy will not stop attacks, on the converse it will make them easier.

A database proxy (= a database pool controller) manages several
connections at once and keeps them alive to pipeline all queries. The
superviser of the pool *may* inject SQL very easily. The proxy may be
well-written, if the server is not well configured, it can be
penetrated.

Again, the problem lies in a single database for several users. Try to
set-up a database with 1000 users and you understand my concern about
security.

With DBMAIL and schemas, you need to be root to penetrate the data (just
like in a normal Postfix installation relying on Unix users). Only
physical access will allow Mallet to penetrate your server.

With DBMAIL in the present design, a user with no special privilege may
read ALL emails. This is a question of design.

The next question is how valuable is the data from DBMAIL users. The
problem is that DBMAIL is used for large installations, store emails
(secrets) and therefore, given the current database design, it is likely
that you are a target.

Besides, Schema can be emulated with table prefix in MySQL. Schema is
only automatic prefixing. So nothing should stop us from using
schema/table prefix.

Kind regards,
Kellogs

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal