Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Metadata security hole - any user can alter/drop generators and exceptions [CORE304] #637

Closed
firebird-automations opened this issue Jun 12, 2002 · 15 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: ded (ded)

Is related to CORE735
Is duplicated by CORE3681
Is related to QA500

Votes: 2

SFID: 567931#⁠
Submitted By: ded

ANY user can drop procedures, generators, exceptions.
Tables, indices and triggers are not affected. To
reproduce:

1. Connect as SYSDBA
2. Create Procedure Test As Begin Exit; End
3. Disconnect and connect as any user
4. Drop Procedure Test - successfully.

Interesting is the next: if before step 4 try to

Execute Procedure Test

exception 551 will be raised and after it step 4 will
raise expected exception 607 - unsuccessful metadata
update -ERASE RDB$PROCEDURES failed -no permission for
delete access to PROCEDURE TEST.

Confirmed on builds WI-V1.0.0.794, LI-V6.2.796.

Best regards, Alexander V.Nevsky.

Commits: e956e2e

@firebird-automations
Copy link
Collaborator Author

Commented by: Alice F. Bird (firebirds)

Date: 2005-05-22 09:56
Sender: dimitr
Logged In: YES
user_id=61270

Generators and exceptions don't have an owner, hence the
issue. But this shouldn't be the case for procedures. Needs
checking.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Fix Version: 3.0 [ 10048 ]

SF_ID: 567931 =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Workflow: jira [ 10328 ] => Firebird [ 14561 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Fix Version: 3.0 Alpha 1 [ 10331 ]

Fix Version: 3.0.0 [ 10048 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Link: This issue is related to CORE735 [ CORE735 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Link: This issue is duplicated by CORE3681 [ CORE3681 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

assignee: Alexander Peshkov [ alexpeshkoff ] => Dmitry Yemanov [ dimitr ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

summary: Metadata security hole => Metadata security hole - any user can alter/drop generators and exceptions

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Version: 2.5.1 [ 10333 ]

Version: 2.1.4 [ 10361 ]

Version: 2.5.0 [ 10221 ]

Version: 2.0.6 [ 10303 ]

Version: 3.0 Initial [ 10301 ]

Version: 2.1.3 [ 10302 ]

Version: 2.1.2 [ 10270 ]

Version: 2.0.5 [ 10222 ]

Version: 2.1.1 [ 10223 ]

Version: 2.1.0 [ 10041 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Link: This issue is related to QA500 [ QA500 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

QA Status: No test

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment