[Firebird-devel] [FB-Tracker] Created: (CORE-4827) Sequence attributes can be seen in SELECT * FROM RDB$GENERATORS even if user has no ritghts on that sequence

Wed, 03 Jun 2015 22:27:13 -0700 

Sequence attributes can be seen in SELECT * FROM RDB$GENERATORS even if user 
has no ritghts on that sequence
------------------------------------------------------------------------------------------------------------

                 Key: CORE-4827
                 URL: http://tracker.firebirdsql.org/browse/CORE-4827
             Project: Firebird Core
          Issue Type: Bug
          Components: Security
    Affects Versions: 3.0 Beta 2
            Reporter: Pavel Zotov
            Priority: Minor


Test:
====

set wng off;
recreate sequence gen_boss start with -9223372036854775808 increment by 
-2147483647;
recreate sequence gen_4all start with 9223372036854775807 increment by 
2147483647;
comment on sequence gen_boss is '### !!! ACHTUNG !!! ### This is *** TOP-SECRET 
*** counter of those who doesn''t like their boss.';
commit;
create or alter user u01 password '123';
commit;
revoke all on all from u01;
commit;

grant usage on sequence gen_4all to u01;
commit;

connect 'localhost/3333:e30' user 'u01' password '123';

set list on;

show grants;

select next value for gen_4all from rdb$database;
show sequ;

select current_user, g.*
from rdb$generators g
where g.rdb$generator_name starting with upper('gen_');

Output:
======

/* Grant permissions for this database */
GRANT USAGE ON SEQUENCE GEN_4ALL TO USER U01

NEXT_VALUE                      -9223372034707292162


Generator GEN_4ALL, current value: -9223372034707292162, initial value: 
9223372036854775807, increment: 2147483647
Statement failed, SQLSTATE = 28000
no permission for USAGE access to GENERATOR GEN_BOSS
After line 20 in file gen_usage.sql

USER                            U01 
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [ 1 ]
RDB$GENERATOR_NAME              GEN_BOSS
RDB$GENERATOR_ID                18
RDB$SYSTEM_FLAG                 0
RDB$DESCRIPTION                 14:f9
### !!! ACHTUNG !!! ### This is *** TOP-SECRET *** counter of those who doesn't 
like their boss. <<<<<<<<<<<<<<< [ 2 ]
RDB$SECURITY_CLASS              SQL$373
RDB$OWNER_NAME                  SYSDBA
RDB$INITIAL_VALUE               -9223372036854775808
RDB$GENERATOR_INCREMENT         -2147483647

USER                            U01
RDB$GENERATOR_NAME              GEN_4ALL
RDB$GENERATOR_ID                19
RDB$SYSTEM_FLAG                 0
RDB$DESCRIPTION                 <null>
RDB$SECURITY_CLASS              SQL$374
RDB$OWNER_NAME                  SYSDBA
RDB$INITIAL_VALUE               9223372036854775807
RDB$GENERATOR_INCREMENT         2147483647


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to