Issue Details (XML | Word | Printable)

Key: CORE-304
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Dmitry Yemanov
Reporter: ded
Votes: 2
Watchers: 2

If you were logged in you would be able to see more operations.
Firebird Core

Metadata security hole - any user can alter/drop generators and exceptions

Created: 12/Jun/02 12:00 AM   Updated: 18/Oct/16 07:55 PM
Component/s: Engine
Affects Version/s: 2.1.0, 2.1.1, 2.0.5, 2.1.2, 2.1.3, 3.0 Initial, 2.0.6, 2.5.0, 2.1.4, 2.5.1
Fix Version/s: 3.0 Alpha 1

Issue Links:

SF_ID: 567931
QA Status: Done successfully

 Description  « Hide
SFID: 567931#
Submitted By: ded

  ANY user can drop procedures, generators, exceptions.
Tables, indices and triggers are not affected. To

1. Connect as SYSDBA
2. Create Procedure Test As Begin Exit; End
3. Disconnect and connect as any user
4. Drop Procedure Test - successfully.

  Interesting is the next: if before step 4 try to

Execute Procedure Test

exception 551 will be raised and after it step 4 will
raise expected exception 607 - unsuccessful metadata
update -ERASE RDB$PROCEDURES failed -no permission for
delete access to PROCEDURE TEST.

Confirmed on builds WI-V1.0.0.794, LI-V6.2.796.

Best regards, Alexander V.Nevsky.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alice F. Bird added a comment - 14/Jun/06 09:38 AM
Date: 2005-05-22 09:56
Sender: dimitr
Logged In: YES

Generators and exceptions don't have an owner, hence the
issue. But this shouldn't be the case for procedures. Needs