New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Long ACLs truncated [CORE1957] #2395
Comments
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Open [ 1 ] Fix Version: 2.5 Beta 1 [ 10251 ] Fix Version: 2.1.2 [ 10270 ] Fix Version: 1.5.6 [ 10225 ] Fix Version: 2.0.5 [ 10222 ] |
Commented by: @AlexPeshkoff Very possible, but I've never seen it. |
Commented by: @AlexPeshkoff Correction - selected first in wrong box |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Open [ 1 ] Target: 2.5 Beta 1, 2.1.2, 1.5.6, 2.0.5 [ 10251, 10270, 10225, 10222 ] Fix Version: 2.5 Beta 1 [ 10251 ] => Fix Version: 2.1.2 [ 10270 ] => Fix Version: 1.5.6 [ 10225 ] => Fix Version: 2.0.5 [ 10222 ] => |
Modified by: @AlexPeshkoffFix Version: 2.5 Beta 1 [ 10251 ] |
Modified by: @AlexPeshkoffFix Version: 2.1.2 [ 10270 ] |
Commented by: @dyemanov Is this going to be backported into 1.5.6 and 2.0.5, as intended originally? |
Modified by: @AlexPeshkoffTarget: 2.5 Beta 1, 2.1.2, 1.5.6, 2.0.5 [ 10251, 10270, 10225, 10222 ] => 1.5.6 [ 10225 ] status: Open [ 1 ] => Open [ 1 ] |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Open [ 1 ] |
Commented by: @AlexPeshkoff Now ported to all 4 supported branches. |
Modified by: @AlexPeshkoff |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Modified by: @pavel-zotovQA Status: No test |
Modified by: @pavel-zotovstatus: Closed [ 6 ] => Closed [ 6 ] QA Status: No test => Cannot be tested |
Submitted by: @AlexPeshkoff
Is related to CORE216
Relate to CORE2223
Votes: 1
This was reported to me privately by Paul Beach.
The grant.epp code turns out to have a couple of bugs that
interact badly with ib_replicator. The replicator grants
privileges on the replication log table to triggers it
generates for each table to be replicated. The result is
long ACLs - both lots of entries and relatively long (>20
character) names.
The original bug, present in all versions of Firebird
is in save_security_class:
blob = BLB_create(tdbb, dbb->dbb_sys_trans, (BID)&blob_id);
BLB_put_segment(tdbb, blob, buffer, length);
BLB_close(tdbb, blob);
BLB_put_segment takes an unsigned short for the length. As a
result, the ACL is limited to 64Kb, or about 2600 entries if
the average user name is about 20 bytes. An ACL is stored
in order by the type of object being granted rights - people,
then views, then triggers, procedures, and finally roles,
with lots of other stuff (uid, gid, node id) scattered around
for historical accuracy. What that means is that a GRANT ALL
TO PUBLIC will ordinarily fix all grant problems.
The code that builds the ACL originally used the normal pool
allocation mechanism which uses a ULONG to describe the amount
of memory it wants. In version 1.5 ACL is stored in the string class.
That class has a unsigned short length, also limiting ACL's length.
Commits: 7ba8a6f 91ad4a7 fb26565 aeba7e6
The text was updated successfully, but these errors were encountered: