Daniel John Debrunner wrote:
Satheesh Bandaram wrote:
[snip]
I will add RoutinePermsDescriptors to allow execute privilege to
other system routines that all users should be able to invoke by
default. (like SYSCS_GET_DATABASE_PROPERTY, SYSCS_EXPORT_TABLE,
SYSCS_GET_RUNTIMESTATISTICS, SYSCS_IMPORT_TABLE,
SYSCS_SET_STATISTICS_TIMING, SYSCS_SET_RUNTIMESTATISTICS,
SYSCS_INPLACE_COMPRESS_TABLE, SYSCS_COMPRESS_TABLE)
SYSCS_GET_DATABASE_PROPERTY seems like one that should be restricted to
database owner. Not sure on the compress tables ones, seem more like
database owner.
Right. Probably SYSCS_GET_DATABASE_PROPERTY should be restricted. If
BUILTIN authentication is being used, this can be used to get other
user passwords... Compress routines would still need schema owner
privilege to actually succeed. (at least offline version. There is a
defect open for inline version to change implementation) Would we like
to restrict them to DBA only for heavy resource use?
I also think all routines in SYSIBM schema should be executable by all.
Only DBA access for INSTALL_JAR, REMOVE_JAR and REPLACE_JAR, by default?
Any chance of a list of all system procedures and if they will be
executable by public or only database owner, security invoker or definer?
I will update functional spec with this info. It already says all
system routines have external security set to INVOKER and default to
DBA only execute privilege. I will add a table to list system routines
that can be executed by any user, so this information can be pushed to
docs later.
Satheesh
|
