Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No error if the GRANT target object does not exist [CORE5755] #6018

Closed
firebird-automations opened this issue Feb 20, 2018 · 6 comments
Closed

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @romansimakov

We have no check of existance a subjects of privileges. I.e.
roman:bin$ ./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'a';
SQL> create table t(i integer);
SQL> grant select on t to function wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

We cannot check of existance user in such case but when we grant privilege to the database object we need to do it.

Commits: 2bad53c 09c1ccc

====== Test Details ======

grant execute on proc|func|package and grant usage on sequence|exception -- still does NOT produce error/warning.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

summary: Existing a subject of privileges => No error if the GRANT target object does not exist

@firebird-automations
Copy link
Collaborator Author

Modified by: @romansimakov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Beta 1 [ 10750 ]

Fix Version: 3.0.4 [ 10863 ]

assignee: Roman Simakov [ roman-simakov ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

set bail on;
recreate table table_test(x int);
create or alter procedure sp_test as begin end;

set term ^;
create or alter function fn_test returns int as
begin
return cast( rand()*10000 as int );
end
^

create or alter package pkg_test as
begin
procedure sp_foo;
end
^

recreate package body pkg_test as
begin
procedure sp_foo as
declare c int;
begin
c = 1;
end
end
^
set term ;^

recreate sequence g_test;
recreate exception x_test 'foo!';
commit;

set bail off;

grant create table to function wrong_test;
Statement failed, SQLSTATE = 42000
unsuccessful metadata update
-GRANT failed
-Function WRONG_TEST does not exist

grant select on table_test to function wrong_func;
Statement failed, SQLSTATE = 42000
unsuccessful metadata update
-GRANT failed
-Function WRONG_FUNC does not exist

grant execute on procedure sp_test to wrong_func;

grant execute on function fn_test to wrong_func;

grant execute on package pkg_test to wrong_func;

grant usage on sequence g_test to wrong_func;

grant usage on exception x_test to wrong_func;
------------------

1) No error on last 5 statements. Is it OK ?
2) IMO, specifying non-existing target object should produce WARNING rather than ERROR. At least in 3.x which was released more than 2 years ago.

PS. Checked on:

ISQL Version: WI-T4.0.0.998 Firebird 4.0 Alpha 1
Server version:
WI-T4.0.0.998 Firebird 4.0 Alpha 1
WI-T4.0.0.998 Firebird 4.0 Alpha 1/tcp (csprog)/P16
WI-T4.0.0.998 Firebird 4.0 Alpha 1/tcp (csprog)/P16

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done with caveats

Test Details: grant execute on proc|func|package and grant usage on sequence|exception -- still does NOT produce error/warning.

@firebird-automations
Copy link
Collaborator Author

Commented by: @romansimakov

> grant usage on exception x_test to wrong_func;
> ------------------
> 1) No error on last 5 statements. Is it OK ?

Yes. In this case wrong_func is not func :) it's non existing user to which it's possible to grant privileges. It was always so and I leave it so.

@firebird-automations
Copy link
Collaborator Author

Commented by: @romansimakov

> 2) IMO, specifying non-existing target object should produce WARNING rather than ERROR. At least in 3.x which was released more than 2 years ago.

I tend to consider it as security bug and prefer to have an error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment