Prohibit an ability to issue DML or DDL statements on RDB$ tables [CORE4731] #5037
Comments
Modified by: @pavel-zotovAttachment: rdb-vulnerable-statements.zip [ 12691 ] |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @AlexPeshkoffFix Version: 3.0 Beta 2 [ 10586 ] |
|
Commented by: Sean Leyne (seanleyne) As written, the case subject would imply that SYSDBA should not be allowed to: - add new user defined columns (ie. add "Change_Datetime" to RDB$Relation_Fields) If this case was worded to read "Restrict from DML and DDL operations on system defined (RDB$) schema objects to SYSDBA/database owner" then I would support same. But as worded, I do not. |
Modified by: @AlexPeshkoffsummary: Prohibit any ability to issue DML or DDL statements on RDB$ tables => Prohibit an ability to issue DML or DDL statements on RDB$ tables |
|
Commented by: @AlexPeshkoff Some system tables must be opened for dba write access by design. Also keep for dba an ability to extend structure of system tables. But disable any non-dba access to both DML and DDL operations with system tables. |
|
Commented by: @asfernandes > Also keep for dba an ability to extend structure of system tables. Why? |
|
Commented by: @AlexPeshkoff The answer is in Sean's comment. |
|
Commented by: @asfernandes They do not survive backups, so it's not a feature. If there is a reason to add them, then it must be done completelly. The only thing I think we should (if possible) support now is user FKs referencing system tables. |
|
Commented by: @pavel-zotov As of current build (LI-T3.0.0.31789) the following script still can be perform *WITHOUT* producing errors (but now - only from SYSDBA; non privileged user can not do anything with system tables from above mentioned scripts):set autoddl off;
|
|
Commented by: @AlexPeshkoff Yes, some of DML commands will remain available for SYSDBA. But to say how much of them - let's wait a little for Sean to be able to say his mind. |
|
Commented by: @sim1984 All these tricks with expandable system tables can be easily cut off DDL triggers. To date, only statements COMMENT ON, GRANT and REVOKE are not covered by them. |
|
Commented by: @pavel-zotov It should be mentioned that NON-privileged user still able to create a table and add FOREIGN KEY to it which references to RDB$-tables. Sample:shell del C:\MIX\firebird\QA\fbt-repo\tmp\c4731.fdb 2>nul; create database 'localhost/3330:C:\MIX\firebird\QA\fbt-repo\tmp\c4731.fdb'; drop user tmp$c4731; connect 'localhost/3330:C:\MIX\firebird\QA\fbt-repo\tmp\c4731.fdb' user 'tmp$c4731' password '123'; ------------- RE-connect as non-priv. user select current_user, current_role from rdb$database; recreate table test1( recreate table test2( recreate table test3( set echo on; drop table test1; STDOUT:USER ROLE show table test1; Tested on WI-T3.0.0.31789. PS. Adding clause 'ON UPDATE | DELETE CASCADE | SET NULL' in FK-definition is now PROHIBITED for non-privileged user (but allowed for SYSDBA). |
|
Commented by: @pavel-zotov > but allowed for SYSDBA ... and this is BAD. Because:C:\MIX\firebird\QA\fbt-repo\tmp>isql -q |
|
Commented by: @dyemanov User-defined triggers on system tables never worked reliably and should not be supported, especially given the new DDL triggers feature. |
|
Commented by: @pavel-zotov Dmitry, and what about ability to create foreign keys (with or without adding 'ON DELETE | UPDATE' clause) ? Should this be prohibited also ? |
|
Commented by: @dyemanov As for me, this should. Everything outside the engine should work as if system tables were read-only (or look like "virtual" tables). |
|
Commented by: @AlexPeshkoff Pavel, access to system tables seems to be prohibited (except a few where it's really needed). Can you recheck once more? |
|
Commented by: @mrotteveel What do we do with explicitly documented use cases of these loopholes, for example as documented on http://www.firebirdsql.org/file/documentation/reference_manuals/reference_material/html/langrefupd25-ddl-filter.html: The value for rdb$field_name must always be 'RDB$FIELD_SUB_TYPE'. If you define your mnemonics in all-uppercase, you can use them case-insensitively and unquoted in your filter declarations. NOTE: I haven't tested this yet in recent versions |
|
Commented by: @AlexPeshkoff Mark, DML for user records in RDB$TYPES works. |
|
Commented by: @pavel-zotov > Pavel, access to system tables seems to be prohibited (except a few where it's really needed). Can you recheck once more? Alex, I've created more or less complex script which does following: 1) creates log table with name 'vulnerable_on_sys_tables' for accumulating vulnerable expression; 2) reads all RDB$-tables which have PK / UNIQUE constraints and build upon their data expressions like: 3) reads again all RDB$-tables and tries to make following maniputations with each of them: All these expressions should FAIL if they are issued by NON-sysdba. RESULTS:1) NON-privileged user can NOT successfully execute any of mentioned statements; insert into RDB$BACKUP_HISTORY(RDB$BACKUP_ID , RDB$TIMESTAMP , RDB$BACKUP_LEVEL , RDB$GUID , RDB$SCN , RDB$FILE_NAME) values(null, null, null, null, null, null); insert into RDB$DB_CREATORS(RDB$USER , RDB$USER_TYPE) values(null, null); update RDB$DB_CREATORS set RDB$USER=null, RDB$USER_TYPE=null rows 1; delete from RDB$DB_CREATORS; insert into RDB$TYPES(RDB$FIELD_NAME , RDB$TYPE , RDB$TYPE_NAME , RDB$DESCRIPTION , RDB$SYSTEM_FLAG) values(null, null, null, null, null); Two sripts (for running by SYSDBA and by non-privileged 'COOLHACKER') and logs of their execution plese see in attach. I can implement test (for running under fbt_run utility) based on script named "c4731-coolhacker.sql" if no any further changes are planned in FB engine related to this topic. |
Modified by: @pavel-zotovAttachment: c4731-complex-check-scripts-and-logs.zip [ 12723 ] |
|
Commented by: @pavel-zotov PS. Seems that also one bad news present. On Linux LI-T3.0.0.31805 (also client and server on the same host) Firebird hangs -- no messages in trace after:create user coolhacker password '123' 2015-04-22T21:08:32.5440 (24206:0x7f526f710690) TRACE_INIT 2015-04-22T21:08:32.5440 (24206:0x7f526f710690) START_TRANSACTION 2015-04-22T21:08:32.5500 (24206:0x7f526f70db90) TRACE_INIT 2015-04-22T21:08:32.5500 (24206:0x7f526f70db90) ATTACH_DATABASE 2015-04-22T21:08:32.5520 (24206:0x7f526f70db90) START_TRANSACTION 2015-04-22T21:08:42.4880 (24206:0x7f526f70b988) DETACH_DATABASE 2015-04-22T21:08:42.4880 (24206:0x7f526f70b988) TRACE_FINI
|
Modified by: @pavel-zotovAttachment: gdb.150422_211043.firebird.24206.txt.zip [ 12724 ] |
|
Commented by: @AlexPeshkoff For me all your scripts work on linux as expected. In your stacktrace I see a thread, actively executing in trace plugin deep in commit handler, i.e. there is no hang at the first look. Anyway - it's bad idea to poison a ticket with ither unrelated bugs. |
|
Commented by: @AlexPeshkoff Pavel, that's sligtly modified test scritps FYI |
Modified by: @AlexPeshkoffAttachment: c4731.tgz [ 12730 ] |
|
Commented by: @pavel-zotov Test was done successfully. |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] |
Modified by: @dyemanovissuetype: Task [ 3 ] => Improvement [ 4 ] |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: Done successfully Test Details: Non-privileged user (who has no grant to rdb$admin role) shouldnt be able to make ANY change of database dictionary (RDB$ or SEC$ tables). |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] Test Details: Non-privileged user (who has no grant to rdb$admin role) shouldnt be able to make ANY change of database dictionary (RDB$ or SEC$ tables). => 1. Non-privileged user (who has no grant of RDB$ADMIN role) should not be able to make ANY change of database dictionary (RDB$ or SEC$ tables). 2. User who was granted role RDB$ADMIN still CAN do 22 statements. All of them seems to be necessary and usage of them can`t be disabled. |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] Test Details: 1. Non-privileged user (who has no grant of RDB$ADMIN role) should not be able to make ANY change of database dictionary (RDB$ or SEC$ tables). 2. User who was granted role RDB$ADMIN still CAN do 22 statements. All of them seems to be necessary and usage of them can`t be disabled. => 1. Non-privileged user (who has no grant of RDB$ADMIN role) should not be able to make ANY change of database dictionary (RDB$ or SEC$ tables). 2. User who was granted role RDB$ADMIN still CAN do 22 statements. All of them seems to be necessary and usage of them can`t be disabled. |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] Test Details: 1. Non-privileged user (who has no grant of RDB$ADMIN role) should not be able to make ANY change of database dictionary (RDB$ or SEC$ tables). 2. User who was granted role RDB$ADMIN still CAN do 22 statements. All of them seems to be necessary and usage of them can`t be disabled. => 1. Non-privileged user (who has no grant of RDB$ADMIN role) should not be able to make ANY change of database dictionary (RDB$ or SEC$ tables). 2. User who was granted role RDB$ADMIN still CAN do 22 statements. All of them seems to be necessary and usage of them can`t be disabled. TODO (06-apr-2018): test likely need to be updated because of CORE5746 (no more restriction to create/alter/drop user-defined indices on system tables) |
Submitted by: @pavel-zotov
Is related to CORE3735
Relate to CORE4359
Relate to CORE4357
Attachments:
rdb-vulnerable-statements.zip
c4731-complex-check-scripts-and-logs.zip
gdb.150422_211043.firebird.24206.txt.zip
c4731.tgz
Votes: 1
Currently in 3.0 there are many DML and even DDL statements that allowed to be issued against RDB$ tables.
I've made query that gathers info about every RDB$ and executes following kinds of statements that will try to:
DML, insert
DML, select WITH LOCK
DML, update
DML, delete
DDL, add column with arbitrary name --- 'A'
DDL, alter some OLD (existed before 'A') column set NULL flag
DDL, alter some OLD (existed before 'A') column add new constraint on it
DDL, alter some OLD (existed before 'A') column set DEFAULT value
DDL, drop some OLD (existed before 'A') column
DDL, drop RDB$-table
If any statement does NOT raise exception than it is logged into special table and than one may get overall report about full list of them.
Unfortunatelly, not only SYSDBA can make such "bad actions" but unprivileged user too.
Scripts in attach:
1) total-dictionary-check.prepare.sql -- this is auxiliary script for creating non-privileged user and revoke all rights from him; than DDL privilege for creating/altering and dropping table is added (only to let him to recreate log table which will be store permitted statements);
2) total-dictionary-check.run-it.sql -- this is the main script for check ability to run "bad statements" against RDB$-tables.
3) rdb-vulnerable-statements-SYSDBA.log -- this is SQL commands that now are allowed on new FB-3 database when they run by SYSDBA;
4 ) rdb-vulnerable-statements-NON_sys.log -- the same as "3" but run by NON-PRIVILEGED user.
Commits: 0afc428 d42402d FirebirdSQL/fbt-repository@2fa85de FirebirdSQL/fbt-repository@bd59c5e
====== Test Details ======
1. Non-privileged user (who has no grant of RDB$ADMIN role) should not be able to make ANY change of database dictionary (RDB$ or SEC$ tables).
Also, since CORE4806 was fixed, this user can`t neither to see nor to change values of any sequence <g> by using GEN_ID() function if he was not granted to use it by GRANT USAGE <g> statement.
This is starting from build 3.0.0.31852 (01-jun-2015).
2. User who was granted role RDB$ADMIN still CAN do 22 statements. All of them seems to be necessary and usage of them can`t be disabled.
TODO (06-apr-2018): test likely need to be updated because of CORE5746 (no more restriction to create/alter/drop user-defined indices on system tables)
The text was updated successfully, but these errors were encountered: