Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error messages differ when regular user tries to RESTORE database, depending on his default role and (perhaps) system privilege USE_GBAK_UTILITY [CORE5291] #5569

Closed
firebird-automations opened this issue Jun 23, 2016 · 6 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

1. Turn off FB service, replace security4.fdb with clean (non-initialized) copy.

2. Initialize security4.fdb:
echo create user sysdba password 'masterke';|C:\MIX\firebird\fb40\isql security4.fdb

3. Start FB service

4. Create new database:
echo create database 'localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0' user sysdba password 'masterke';show database;|C:\MIX\firebird\fb40\isql -q -z
=== output: ===
ISQL Version: WI-T4.0.0.267 Firebird 4.0 Unstable
Server version:
WI-T4.0.0.267 Firebird 4.0 Unstable
WI-T4.0.0.267 Firebird 4.0 Unstable/tcp (csprog)/P13
WI-T4.0.0.267 Firebird 4.0 Unstable/tcp (csprog)/P13
Database: localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0
Owner: SYSDBA

5. C:\MIX\firebird\fb40\isql localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 -user sysdba -pas masterke -q
Run this script:

set wng off;
create or alter user u01 password '123' revoke admin role;
create or alter user u02 password '456' revoke admin role;
commit;
revoke all on all from u01;
revoke all on all from u02;
commit;
create role role_for_use_gbak_utility set system privileges to USE_GBAK_UTILITY, SELECT_ANY_OBJECT_IN_DATABASE;
commit;
grant default role_for_use_gbak_utility to user u02;
commit;
show users;
show grants;
exit;

=== output: ===
Users in the database
1 #⁠SYSDBA
0 U01
0 U02

/* Grant permissions for this database */
GRANT DEFAULT ROLE_FOR_USE_GBAK_UTILITY TO U02

6. NOTE: one (and only one) of regular users, U02, is granted by system privileges "USE_GBAK_UTILITY, SELECT_ANY_OBJECT_IN_DATABASE". This allows him to create BACKUP, but none of these both users can restore DB.

7. C:\MIX\firebird\fb40\gbak localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk -user sysdba -pas masterke

8. The most interesting part:

8.1. Try to restore database as U01, which has NO any system privilege:

8.1.1. Restore with using of services:

C:\MIX\firebird\fb40\gbak.exe -se localhost/3400:service_mgr -rep C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 -user u01 -pas 123
=== output: ===
gbak: ERROR:no permission for CREATE access to DATABASE C:\MIX\FIREBIRD\QA\FBT-REPO\TMP\E40.FD0
gbak: ERROR: failed to create database C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0
gbak: ERROR: Exiting before completion due to errors
gbak:Exiting before completion due to errors

8.1.2. Restore WITHOUT services:

C:\MIX\firebird\fb40\gbak.exe -rep C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 -user u01 -pas 123

=== output: ===
gbak: ERROR:no permission for CREATE access to DATABASE C:\MIX\FIREBIRD\QA\FBT-REPO\TMP\E40.FD0
gbak: ERROR: failed to create database C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0
gbak: ERROR: Exiting before completion due to errors
gbak:Exiting before completion due to errors

So, this is expected and the reason of failure can be easy understand.

8.2 Try to restore database as U02, which HAS system privilege USE_GBAK_UTILITY:

8.2.1. Restore with using of services:

C:\MIX\firebird\fb40\gbak.exe -se localhost/3400:service_mgr -rep C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 -user u02 -pas 456
=== output: ===
gbak: ERROR:could not drop database C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 (database might be in use)
gbak: ERROR: Exiting before completion due to errors
gbak:Exiting before completion due to errors

8.2.2. Restore WITHOUT services:

C:\MIX\firebird\fb40\gbak.exe -rep C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 -user u02 -pas 456
=== output: ===
gbak: ERROR:could not drop database localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\e40.fd0 (database might be in use)
gbak:Exiting before completion due to errors

-- here we can see that:

1) text of message contains strange phrase "database might be in use", but DB surely is NOT in use by anyone.
2) error block does not contain text "gbak: ERROR: Exiting before completion due to errors" like in previous cases

8.2.3. Restore to the name that not yet exists (i.e. use totally new file name as target):

C:\MIX\firebird\fb40\gbak.exe -C C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\tmp20160623214951.tmp -user u01 -pas 123

C:\MIX\firebird\fb40\gbak.exe -C C:\MIX\firebird\QA\fbt-repo\tmp\e40.fbk localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\tmp201606232149595.tmp -user u02 -pas 456

Output will be the same:

gbak: ERROR:no permission for CREATE access to DATABASE C:\MIX\FIREBIRD\QA\FBT-REPO\TMP\TMP20160623214951.TMP
gbak: ERROR:failed to create database localhost/3400:C:\MIX\firebird\QA\fbt-repo\tmp\tmp20160623214951.tmp
gbak:Exiting before completion due to errors

So, when user

1) HAS grant on system privileges "USE_GBAK_UTILITY, SELECT_ANY_OBJECT_IN_DATABASE"
and
2) tries to restore with replacing EXISTING file
and
3) this existing file was created by other user (e.g. SYSDBA)

-- then he will get error messages with obscure content:

gbak: ERROR:could not drop database ... (database might be in use)

IMO, error message with "no permission for CREATE access" phrase is much more understandable.

Commits: a81d583

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

priority: Major [ 3 ] => Minor [ 4 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Messages should differ cause in different cases gbak's pre-restore tests fail in different places.
But main problem was due to primary error code was changed in some cases - this issue is fixed, now messages are different but at least always logical and describe real issue that happened.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Alpha 1 [ 10731 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants