Inconsistency between ALTER and USAGE privileges for sequences (generators).
----------------------------------------------------------------------------
Key: CORE-5937
URL: http://tracker.firebirdsql.org/browse/CORE-5937
Project: Firebird Core
Issue Type: Bug
Components: Security
Affects Versions: 3.0.4, 3.0.3, 4.0 Alpha 1, 3.0.2, 3.0.1, 3.0.0, 4.0
Initial
Reporter: Mark Rotteveel
There appears to be an inconsistency between the ALTER and USAGE privileges for
sequences.
Only users with ALTER permission on sequences are allowed to use ALTER SEQUENCE
<name> RESTART WITH <new value>
Users with USAGE permission cannot execute that statement, but they can achieve
the same effect with:
select gen_id(<name>, <new value> - gen_id(<name>, 0)) from rdb$database
Either this loophole needs to be closed (eg by disallowing values other than 0
or 1 without ALTER permission), which will likely break applications that rely
on being able to use gen_id with a different value.
Or, better, we should relax the requirements a bit, and allow RESTART WITH (and
only RESTART WITH) to users who have USAGE permission. Then at least the
loophole is explicit and doesn't create a false sense of safety.
See also
https://groups.yahoo.com/neo/groups/firebird-support/conversations/topics/133140
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
