Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation

Fri, 22 Apr 2022 11:10:55 -0700 

21.04.2022 13:38, Jiří Činčura wrote:

Hi,

Can propagate the privileges down into the call stack when using WITH CALLER 
PRIVILEGES? For example:
CREATE TABLE T_TEST (ID INTEGER NOT NULL,
CONSTRAINT PK_TEST PRIMARY KEY (ID));

/* Package header: PKG_TEST, Owner: SYSDBA */
CREATE PACKAGE PKG_TEST AS
begin
         procedure test returns (i int);
end^

/* Package header: PKG_TEST_LIMITED, Owner: SYSDBA */
CREATE PACKAGE PKG_TEST_LIMITED AS
begin
         procedure test returns (i int);
end^

/* Package body: PKG_TEST, Owner: SYSDBA */
CREATE PACKAGE BODY PKG_TEST AS
begin
         procedure test returns (i int)
         as
         begin
                 for select id from t_test into :i do
                 begin
                         suspend;
                 end
         end
end^

/* Package body: PKG_TEST_LIMITED, Owner: SYSDBA */
CREATE PACKAGE BODY PKG_TEST_LIMITED AS
begin
         procedure test returns (i int)
         as
         begin
                 for execute statement 'select i from pkg_test.test' with 
caller privileges into :i do
                 begin
                         suspend;
                 end
         end
end^

/* Grant permissions for this database */
GRANT SELECT ON T_TEST TO PACKAGE PKG_TEST_LIMITED;
GRANT EXECUTE ON PACKAGE PKG_TEST_LIMITED TO USER LIMITED;
Now if I do, under LIMITED user, `select * from pkg_test_limited.test;` is will end up with `no permission for SELECT access to TABLE T_TEST`. 

  Here user LIMITED executes PKG_TEST_LIMITED.TEST (which it have explicit 
grant to do, see
2nd GRANT statement) and than going to execute procedure from package PKG_TEST 
which nor user
LIMITED nor package PKG_TEST_LIMITED is not granted to do. Error message is 
misleading here, btw.

If you GRANT SELECT ON T_TEST TO PACKAGE PKG_TEST and run

        select * from pkg_test_limited.test

then you'll see more correct error:

        no permission for EXECUTE access to PACKAGE PKG_TEST

Then add missing GRANT EXECUTE ON PACKAGE PKG_TEST TO PACKAGE PKG_TEST_LIMITED
and query will run successfully.


But if I change the execute statement into `for execute statement 'select id 
t_test' with caller privileges into :i do` everything is fine.


  Sure, because package PKG_TEST_LIMITED granted to do it (your 1st GRANS 
statement)
and caller privileges is effective.
I guess the "caller privileges" is propagated only into `pkg_test_limited.test` when calling, but not further into `t_test`. 
> > Can I somewhat make it work/propagate? Or did I misunderstood the feature?

  Hope it is clear now.

Regards,
Vlad


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to