[Firebird-devel] [FB-Tracker] Created: (CORE-5755) Existing a subject of privileges

[Roman Simakov (JIRA)]

Existing a subject of privileges


 Key: CORE-5755
 URL: http://tracker.firebirdsql.org/browse/CORE-5755
 Project: Firebird Core
  Issue Type: Bug
  Components: Engine
Affects Versions: 3.0.3, 4.0 Alpha 1
Reporter: Roman Simakov


We have no check of existance a subjects of privileges. I.e.
roman:bin$ ./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'a';
SQL> create table t(i integer);
SQL> grant select on t to function wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

We cannot check of existance user in such case but when we grant privilege to 
the database object we need to do it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Roman Simakov]

2018-02-20 15:43 GMT+03:00 Alex Peshkoff via Firebird-devel
:
> On 02/20/18 15:39, Roman Simakov wrote:
>> In this case it's a bug right?
>>
>
> yes

http://tracker.firebirdsql.org/browse/CORE-5755


-- 
Roman Simakov

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Alex Peshkoff via Firebird-devel]

On 02/20/18 15:39, Roman Simakov wrote:

2018-02-20 15:27 GMT+03:00 Alex Peshkoff via Firebird-devel
:

Always requiring object type is best of possible solutions but I'm afraid
that's unreal.

I've supposed missing keyword, i.e. real failing statement is:

grant select on t to FUNCTION wrong_func;

Roman - am I wrong?

Right. I meant explicit keyword. See this:

roman:bin$ ./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'a';
SQL> create table t(i integer);
SQL> grant select on t to function wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

In this case it's a bug right?



yes


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Roman Simakov]

2018-02-20 15:27 GMT+03:00 Alex Peshkoff via Firebird-devel
:
> Always requiring object type is best of possible solutions but I'm afraid
> that's unreal.
>
> I've supposed missing keyword, i.e. real failing statement is:
>
> grant select on t to FUNCTION wrong_func;
>
> Roman - am I wrong?

Right. I meant explicit keyword. See this:

roman:bin$ ./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'a';
SQL> create table t(i integer);
SQL> grant select on t to function wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

In this case it's a bug right?

-- 
Roman Simakov

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Alex Peshkoff via Firebird-devel]

On 02/20/18 15:19, Dimitry Sibiryakov wrote:

20.02.2018 13:14, Alex Peshkoff via Firebird-devel wrote:

2) We have no check of existance a subjects of privileges. I.e.
SQL> create table t(i integer);
SQL> grant select on t to wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

I tend to consider it as a bug to be fixed. Am I right?


Definitely yes.


  Do you suggest to remove defaulting of subject type to "USER" and 
require explicit type name in all cases?




Always requiring object type is best of possible solutions but I'm 
afraid that's unreal.


I've supposed missing keyword, i.e. real failing statement is:

grant select on t to FUNCTION wrong_func;

Roman - am I wrong?



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] [FB-Tracker] Created: (CORE-5746) Remove the restriction on create/delete, enable/disable the system indexes in system tables

[Rashid Abzalov]

Hello.

The background of this task in CORE-5612, it contains research details 
and conclusions.


How much I understood, there is no way to specify what index should be 
used at system inquiries from *.epp files?
If not, is it possible to enable the create/delete, enable/disable 
indexes on system tables, including standard system indexes?

I would try to implement this if the approach is approved.

In Firebird 2.5, we get around the problem described in CORE-5612 by 
creating 2 indexes and turning off the indices RDB$INDEX_27 and 
RDB$INDEX_28 at the right time (then turn it back on).


But we can not act in the same way in Firebird 3.0 because these actions 
are only allowed by GBACK (attachment->isGbak) and only during the 
creation of the database (attachment->att_flags & ATT_creator).


Those if you do not want to allow such actions publicly, you could be 
allowed to do it from external utilities similar to GBACK 
(dpb.insertString(isc_dpb_gbak_attach, FB_VERSION, 
fb_strlen(FB_VERSION))), but then need to remove the check for the 
creator of database (attachment->att_flags & ATT_creator).


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Dimitry Sibiryakov]

20.02.2018 13:14, Alex Peshkoff via Firebird-devel wrote:

2) We have no check of existance a subjects of privileges. I.e.
SQL> create table t(i integer);
SQL> grant select on t to wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

I tend to consider it as a bug to be fixed. Am I right?


Definitely yes.


  Do you suggest to remove defaulting of subject type to "USER" and require explicit type 
name in all cases?


--
  WBR, SD.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Alex Peshkoff via Firebird-devel]

On 02/20/18 14:55, Roman Simakov wrote:

Hello!

I fixed several bugs related to GRANT operator and investigated a
couple of issues I'd like to discuss:
1) Replace RDB$TRIGGER_9 (trigger1 in trig.h) by code in DdlNodes.epp
with the same functions. I already did it in CORE-5747 to check grant
option.


Good way to go.


We can do it since we remove direct modifying system tables. It's more
obvious place and we can use at least assert to check that all object
types are verifyied. That could avoid errors like CORE-5747 in future.
BLR of trigger is hard for support IMO.
Also note I'm checking GRANT OPTION of roles which current user use.
Now he can have several such roles. RDB$TRIGGER_9 do not check them I
think.

2) We have no check of existance a subjects of privileges. I.e.
SQL> create table t(i integer);
SQL> grant select on t to wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

I tend to consider it as a bug to be fixed. Am I right?



Definitely yes.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Existing a subject of privileges and refactoring

[Dimitry Sibiryakov]

20.02.2018 12:55, Roman Simakov wrote:

2) We have no check of existance a subjects of privileges. I.e.
SQL> create table t(i integer);
SQL> grant select on t to wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

I tend to consider it as a bug to be fixed. Am I right?


  Without explicit type of subject GRANT command grants it to a user which existence 
cannot be verified. You must use explicit "grant select on t to FUNCTION wrong_func" to 
get error.

  I don't know if in currently user's existence can be checked via SEC$USERS.

--
  WBR, SD.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

[Firebird-devel] Existing a subject of privileges and refactoring

[Roman Simakov]

Hello!

I fixed several bugs related to GRANT operator and investigated a
couple of issues I'd like to discuss:
1) Replace RDB$TRIGGER_9 (trigger1 in trig.h) by code in DdlNodes.epp
with the same functions. I already did it in CORE-5747 to check grant
option.
We can do it since we remove direct modifying system tables. It's more
obvious place and we can use at least assert to check that all object
types are verifyied. That could avoid errors like CORE-5747 in future.
BLR of trigger is hard for support IMO.
Also note I'm checking GRANT OPTION of roles which current user use.
Now he can have several such roles. RDB$TRIGGER_9 do not check them I
think.

2) We have no check of existance a subjects of privileges. I.e.
SQL> create table t(i integer);
SQL> grant select on t to wrong_func;
SQL> show function wrong_func;
There is no user-defined function WRONG_FUNC in this database

I tend to consider it as a bug to be fixed. Am I right?


-- 
Roman Simakov

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel