Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privileges of dynamic statements in SP [CORE805] #1192

Closed
firebird-automations opened this issue Feb 8, 2005 · 12 comments
Closed

Privileges of dynamic statements in SP [CORE805] #1192

firebird-automations opened this issue Feb 8, 2005 · 12 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: webionbrano (webionbrano)

Is related to QA295

Votes: 3

SFID: 1118494#⁠
Submitted By: webionbrano

Evaluation of privilegs for SP with dynamic statement
should be the same as for SP without dynamic statement.
This was posted as bug, but recognized as designed with
suggestion make rather feature request.

THIS REQUEST IS CRUCIAL FOR PROFFESIONAL DEPLOYING OF
FIREBIRD. IN ORACLE THIS WORKS LIKE THIS.

This is original bug issue: -------------------------------

DB is set like this:
- User PETER has exec. privilegs on procedure PROC_B
- PROC_B has sel. privilegs on TAB_A

This works:

create procedure PROC_B()
begin
select * from TAB_A;
end

This doesn't works:

create procedure PROC_B()
as
declare variable sel varchar(500);
begin
sel = 'select * from TAB_A';
execute statement :sel;
end

When we add privilegs to user PETER to selelect from
TAB_A everything seems to be alright. For security
reasons it is fatal error to able users read from
tables directly. And when we have 1000 users and 500
tables and 500 procedures it is crazyness grant
everything for everything.

P.S.
The problem is the same also when we use roles.

====== Test Details ======

See also discussion (in russian): http://sql.ru/forum/actualutils.aspx?action=gotomsg&tid=1152829&msg=17535789

@firebird-automations
Copy link
Collaborator Author

Commented by: Alice F. Bird (firebirds)

Date: 2005-03-23 09:43
Sender: dimitr
Logged In: YES
user_id=61270

Your suggestion introduces a possible security hole. I think
the default permissions should work as now, and additional
SQL clauses should be added to allow another permission
checking logic, e.g.:

EXECUTE STATEMENT <sql_string>
[WITH PERMISSIONS OF {USER | OWNER | OBJECT}]

where:

- USER means the existing logic (current user permissions
are checked)
- OWNER means permissions of the creator of PSQL object
(procedure/trigger/block)
- OBJECT means permissions of the PSQL object itself

or something alike.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

issuetype: New Feature [ 2 ] => Improvement [ 4 ]

SF_ID: 1118494 =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

priority: Major [ 3 ] => Minor [ 4 ]

Component: Security [ 10071 ]

SF_ID: 1118494 =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Workflow: jira [ 10829 ] => Firebird [ 15262 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Clause
WITH CALLER PRIVILEGES
implementing desired behavior is added.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ] => Vlad Khorsun [ hvlad ]

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.5 RC1 [ 10362 ]

Fix Version: 2.5 Beta 2 [ 10300 ]

Fix Version: 2.5 Beta 1 [ 10251 ]

Fix Version: 2.5 Alpha 1 [ 10224 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

summary: Privilegs of dynamic statements in SP => Privileges of dynamic statements in SP

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Fix Version: 2.5 RC1 [ 10362 ] =>

Fix Version: 2.5 Beta 2 [ 10300 ] =>

Fix Version: 2.5 Beta 1 [ 10251 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Link: This issue is related to QA295 [ QA295 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully

Test Details: See also discussion (in russian): http://sql.ru/forum/actualutils.aspx?action=gotomsg&tid=1152829&msg=17535789

@firebird-automations
Copy link
Collaborator Author

Commented by: @pcisar

Test created.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants