[
https://issues.apache.org/jira/browse/DERBY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12470445
]
Daniel John Debrunner commented on DERBY-2264:
----------------------------------------------
Dag> "What I argue in my previous post is that it does not make sense to forbid
shutting down the database if you already can delete all its data, which is the
case for 7 for fullAccess users."
Without any checks in 3),7) then read-only users would also be able to shut the
system down (as they can today) even though they do not have the ability to
delete all the data.
I think it's somewhat dangerous in security analysis to equate permissions
which are really independent of each other. For example one can have the
permission to delete rows from a table but not to drop it, they are treated as
separate even though they could be seen to have a similar effect.
I think you also cannot assume that a user authenticated by a database is a
valid user in the system authentication. Thus I don't think you can drop the
checking for 4) since the user may not be able to shut the system down.
> Restrict shutdown, upgrade, and encryption powers to the database owner
> -----------------------------------------------------------------------
>
> Key: DERBY-2264
> URL: https://issues.apache.org/jira/browse/DERBY-2264
> Project: Derby
> Issue Type: New Feature
> Components: Security, SQL
> Reporter: Rick Hillegas
> Attachments: dbaPowers.html, dbaPowers.html
>
>
> This JIRA separates out the database-owner powers from the system privileges
> in the master security JIRA DERBY-2109. Restrict the following powers to the
> database owner for the moment: shutdown, upgrade, and encryption.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
