New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privileges of dynamic statements in SP [CORE805] #1192
Comments
Commented by: Alice F. Bird (firebirds) Date: 2005-03-23 09:43 Your suggestion introduces a possible security hole. I think EXECUTE STATEMENT <sql_string> where: - USER means the existing logic (current user permissions or something alike. |
Modified by: @dyemanovpriority: Major [ 3 ] => Minor [ 4 ] Component: Security [ 10071 ] SF_ID: 1118494 => |
Modified by: @pcisarWorkflow: jira [ 10829 ] => Firebird [ 15262 ] |
Commented by: @AlexPeshkoff Clause |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] => Vlad Khorsun [ hvlad ] status: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 2.5 RC1 [ 10362 ] Fix Version: 2.5 Beta 2 [ 10300 ] Fix Version: 2.5 Beta 1 [ 10251 ] Fix Version: 2.5 Alpha 1 [ 10224 ] |
Modified by: @dyemanovsummary: Privilegs of dynamic statements in SP => Privileges of dynamic statements in SP |
Modified by: @dyemanovFix Version: 2.5 RC1 [ 10362 ] => Fix Version: 2.5 Beta 2 [ 10300 ] => Fix Version: 2.5 Beta 1 [ 10251 ] => |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: Done successfully Test Details: See also discussion (in russian): http://sql.ru/forum/actualutils.aspx?action=gotomsg&tid=1152829&msg=17535789 |
Commented by: @pcisar Test created. |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Submitted by: webionbrano (webionbrano)
Is related to QA295
Votes: 3
SFID: 1118494#
Submitted By: webionbrano
Evaluation of privilegs for SP with dynamic statement
should be the same as for SP without dynamic statement.
This was posted as bug, but recognized as designed with
suggestion make rather feature request.
THIS REQUEST IS CRUCIAL FOR PROFFESIONAL DEPLOYING OF
FIREBIRD. IN ORACLE THIS WORKS LIKE THIS.
This is original bug issue: -------------------------------
DB is set like this:
- User PETER has exec. privilegs on procedure PROC_B
- PROC_B has sel. privilegs on TAB_A
This works:
create procedure PROC_B()
begin
select * from TAB_A;
end
This doesn't works:
create procedure PROC_B()
as
declare variable sel varchar(500);
begin
sel = 'select * from TAB_A';
execute statement :sel;
end
When we add privilegs to user PETER to selelect from
TAB_A everything seems to be alright. For security
reasons it is fatal error to able users read from
tables directly. And when we have 1000 users and 500
tables and 500 procedures it is crazyness grant
everything for everything.
P.S.
The problem is the same also when we use roles.
====== Test Details ======
See also discussion (in russian): http://sql.ru/forum/actualutils.aspx?action=gotomsg&tid=1152829&msg=17535789
The text was updated successfully, but these errors were encountered: