lock on the db files - Githubissues

codenotary / immudb

immudb - immutable database based on zero trust, SQL/Key-Value/Document model, tamperproof, data change history

https://immudb.io

Other

8.52k stars 337 forks source link

lock on the db files #79

Closed ghost closed 4 years ago

ghost commented 4 years ago

It should not be possible to edit the DB files. We need a lock on them.

We also need a security mechanism to detect that data is not lost. Check with mmap. Also be aware of NFS.

ghost commented 4 years ago

https://gavv.github.io/articles/file-locks/

padurean commented 4 years ago

@andrei-lihu nice for understanding, but we can’t work at linux level, we probably need to use some 3rd party Go library which also supports Windows.

padurean commented 4 years ago

@andrei-lihu Badger is already creating a lock:

The top-level object in Badger is a DB. It represents multiple files on disk in specific directories, which contain the data for a single database. Please note that Badger obtains a lock on the directories so multiple processes cannot open the same database at the same time.

padurean commented 4 years ago

padurean commented 4 years ago

None of the following is preventing db files to be edited:

I've tested with all 3 and each time i was able to edit files in the db folder even if immudb is running.

padurean commented 4 years ago

File locking mechanisms, like flock on *nix systems, are probably not suited for the task at hand (i.e. preventing anyone to change a db file) as they are “cooperative measures”:

“Note that [flock] is a cooperative measure, so other processes will need to use the same system otherwise there will be nothing to stop them doing what they like with the file.”

https://stackoverflow.com/questions/29564267/locking-a-file-for-both-read-and-write

padurean commented 4 years ago

Anyway, even if it worked as imagined (it doesn't as it's a cooperative mechanism, as described in the link at the previous comment), file/directory locking would not be a good solution since once the process is stopped, the lock is removed. After more research i found out that Badger already supports encryption - see section Enabling Encryption on an Existing Datastore in this article from March 2020: https://dgraph.io/blog/post/encryption-at-rest-dgraph-badger/

This is how Go code to enable encryption looks:

opts := badger.DefaultOptions("/tmp/badger").
    WithEncryptionKey(masterKey).
    WithEncryptionKeyRotationDuration(dataKeyRotationDuration) # defaults to 10 days

To summarize:

to somewhat prevent data corruption on the server the only option which makes sense (at list up til now) is by using permissions on the database folder (user with root/sudo permissions would still be able to modify)
to provide data tampering protection strictly at the server level (as for client-server we already have it since the client already has the .root file against checks can be made), we can encrypt the data as described above

padurean commented 4 years ago

As discussed, this issue will be parked for now. The attempted implementation will still be kept in this feature branch: https://github.com/codenotary/immudb/tree/feat/db-files-tampering-detection