Inconsistency between ALTER and USAGE privileges for sequences (generators). ----------------------------------------------------------------------------
Key: CORE-5937 URL: http://tracker.firebirdsql.org/browse/CORE-5937 Project: Firebird Core Issue Type: Bug Components: Security Affects Versions: 3.0.4, 3.0.3, 4.0 Alpha 1, 3.0.2, 3.0.1, 3.0.0, 4.0 Initial Reporter: Mark Rotteveel There appears to be an inconsistency between the ALTER and USAGE privileges for sequences. Only users with ALTER permission on sequences are allowed to use ALTER SEQUENCE <name> RESTART WITH <new value> Users with USAGE permission cannot execute that statement, but they can achieve the same effect with: select gen_id(<name>, <new value> - gen_id(<name>, 0)) from rdb$database Either this loophole needs to be closed (eg by disallowing values other than 0 or 1 without ALTER permission), which will likely break applications that rely on being able to use gen_id with a different value. Or, better, we should relax the requirements a bit, and allow RESTART WITH (and only RESTART WITH) to users who have USAGE permission. Then at least the loophole is explicit and doesn't create a false sense of safety. See also https://groups.yahoo.com/neo/groups/firebird-support/conversations/topics/133140 -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel