Harmful function call (system). Consider doing `kinit` programmatically

[filimonov]

In clickhouse CI, we do checks if there is some usage of glibc function which are considered harmful.

Recently it caught system function call done by librdkafka (firing kinit).

It seems like kinit (getting/refreshing TGT) can be done programmatically: https://github.com/ClickHouse/ClickHouse/issues/27651

Loosely related to https://github.com/edenhill/librdkafka/issues/2709

[edenhill]

Just so I understand, given that the client configuration is controlled by the user, what is the attack vector for system("$kinit ..") ?

[filimonov]

See some reasoning https://github.com/ClickHouse/ClickHouse/issues/27651#issuecomment-899008585

Imagine that RDBMS user (he is not the server admin) can create engine=Kafka tables (internally librdkafka consumers) and control their configuration by DDL. You don't want allowing him to run some binaries on DB server.

P.S. It's not possible in ClickHouse, but illustrate the potential issue: the user who is allowed to create and use as many librdkafka consumers as he need, may not be allowed to run any binaries on the server.

[edenhill]

There's also plugin.library.paths= that can be used to load dynamic libraries.

[edenhill]

We could add something like rd_kafka_conf_disable_unsafe_properties(rd_kafka_conf_t *); that such applications can use to disable any unsafe properties to be set with ..rd_kafka_conf_set(). Would that solve it?

[filimonov]

You can just do the same as kinit does using krb5_ api calls.

BTW: that was fixed inside clickhouse this way: https://github.com/ClickHouse/ClickHouse/pull/38105/files