PostgreSQL 對 fsync() 的修正

上次寫了「PostgreSQL 對 fsync() 的行為傷腦筋...」提到 fsync() 有些地方是與開發者預期不同的問題,但後面忘記跟進度...

剛剛看到 Percona 的人寫了「PostgreSQL fsync Failure Fixed – Minor Versions Released Feb 14, 2019」這篇才發現在 2/14 就出了對應的更新,從 release notes 也可以看到:

By default, panic instead of retrying after fsync() failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)

Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync() failure. If we reissue the fsync() request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.

A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.

現在的 workaround 是遇到 fsync() 失敗時為了避免 data corruption,會直接 panic 讓整個 PostgreSQL 從 WAL replay 記錄,也代表 HA 機制 (如果有設計的話) 有機會因為這個原因被觸發...

不過也另外設計了 data_sync_retry,讓 PostgreSQL 的管理者可以硬把這個 panic 行為關掉,改讓 PostgreSQL 重新試著 fsync(),這應該是在之後 kernel 有修改時會用到...

義大利政府的反貪組織用 Tor 的 Onion (Hidden Service) 接受檢舉

在「Italian Anti-Corruption Authority (ANAC) Adopts Onion Services」這邊看到,義大利政府因為法令要求必須保護告密者,而不只是在需要提供身份的階段才保護:

Many national laws (such as Italian Dlgs. 231/2001) require companies to adopt corporate governance structures and risk prevention systems, which can include allowing whistleblowing submissions. However, most whistleblowing laws only protect whistleblowers when their identity is disclosed, which can put the person reporting corruption at risk.

In 2016, the International Standards Organization (ISO) released a new model for organizations setting up and operating anti-bribery management systems, ISO 37001:2016. To meet ISO standards, organizations or companies implementing anti-corruption procedures must allow anonymous reporting, as explicitly indicated in point 8.9 of section C of ISO 37001:2016.

Furthermore, national laws (such as recent Italian 179/2017) require the adoption of IT systems for whistleblowing, leading to the practical integration and use of Tor for its technological anonymity features.

而義大利政府的系統選擇用 Tor 的 Onion (Hidden Service) 提供服務接受檢舉:

To comply with these standards, the Italian Anti-Corruption Authority (ANAC), an administrative watchdog, just launched their national online whistleblowing platform using onion services, giving whistleblowers who come forward a secure way to report illegal activity while protecting their identities.

這使用了 hidden service 的特性,讓伺服器端完全無法得知 client 的位置,對於使用有足夠保護的 browser 來說 (像是 Tor Browser),這可以完全讓 server 端無法得知身份,即使政府的伺服器都入侵也沒辦法知道告密者是誰。

這點頗先進的...

最近 OpenVPN 的安全性漏洞...

看到「The OpenVPN post-audit bug bonanza」這個只有苦笑啊...

作者在 OpenVPN 經過一連串的安全加強後 (包括 harden 計畫與兩個外部單位的程式碼稽核找到不少問題),決定出手挖看看:

After a hardening of the OpenVPN code (as commissioned by the Dutch intelligence service AIVD) and two recent audits 1 2, I thought it was now time for some real action ;).

然後就挖出不少問題了...

可以看到作者透過 fuzzing 打出一卡車,包含了不少 crash XDDD:(然後有一個是 stack buffer corruption,不知道有沒有機會變成 RCE)

  • Remote server crashes/double-free/memory leaks in certificate processing (CVE-2017-7521)
  • Remote (including MITM) client crash, data leak (CVE-2017-7520)
  • Remote (including MITM) client stack buffer corruption
  • Remote server crash (forced assertion failure) (CVE-2017-7508)
  • Crash mbed TLS/PolarSSL-based server (CVE-2017-7522)
  • Stack buffer overflow if long –tls-cipher is given