Re: [sqlite] Proposition: introduce a new SQLITE_READ_TABLE Authorizer Action Code

Sat, 06 May 2017 14:48:07 -0700 

Gwendal.  Your proposal last month for adding column names to the callback
parameters seemed more sensible.  The first question that comes to mind
when new callback modes are to being proposed is what else would be missing
if the same standard were applied to every possible operation?

My thought.  A cursory read of the relevant code comments (see below)
suggests the author had in mind only precise security control of views and
triggers - the ubiquitous 6th parameter mentioned in the comment.  If
that's the idea, then one presumably denies everything by default and then
handles requests only to a purpose built secure view and trigger layer.

It would be nice to hear from the author about what they actually had in
mind for those who need total iron clad security of every row or aggregate
query of any table.  For example, if SQLITE_READ authorization is not being
tested, why not?  Is it tested later?  Perhaps the architecture of the
authorizer is not self explanatory from the names of the #defines or is
described elsewhere.

/*
** CAPI3REF: Authorizer Action Codes
**
** The [sqlite3_set_authorizer()] interface registers a callback function
** that is invoked to authorize certain SQL statement actions.  The
** second parameter to the callback is an integer code that specifies
** what action is being authorized.  These are the integer action codes that
** the authorizer callback may be passed.
**
** These action code values signify what kind of operation is to be
** authorized.  The 3rd and 4th parameters to the authorization
** callback function will be parameters or NULL depending on which of these
** codes is used as the second parameter.  ^(The 5th parameter to the
** authorizer callback is the name of the database ("main", "temp",
** etc.) if applicable.)^  ^The 6th parameter to the authorizer callback
** is the name of the inner-most trigger or view that is responsible for
** the access attempt or NULL if this access attempt is directly from
** top-level SQL code.
*/
/******************************************* 3rd ************ 4th
***********/
#define SQLITE_CREATE_INDEX          1   /* Index Name      Table Name
*/
#define SQLITE_CREATE_TABLE          2   /* Table Name      NULL
*/
#define SQLITE_CREATE_TEMP_INDEX     3   /* Index Name      Table Name
*/
#define SQLITE_CREATE_TEMP_TABLE     4   /* Table Name      NULL
*/
#define SQLITE_CREATE_TEMP_TRIGGER   5   /* Trigger Name    Table Name
*/
#define SQLITE_CREATE_TEMP_VIEW      6   /* View Name       NULL
*/
#define SQLITE_CREATE_TRIGGER        7   /* Trigger Name    Table Name
*/
#define SQLITE_CREATE_VIEW           8   /* View Name       NULL
*/
#define SQLITE_DELETE                9   /* Table Name      NULL
*/
#define SQLITE_DROP_INDEX           10   /* Index Name      Table Name
*/
#define SQLITE_DROP_TABLE           11   /* Table Name      NULL
*/
#define SQLITE_DROP_TEMP_INDEX      12   /* Index Name      Table Name
*/
#define SQLITE_DROP_TEMP_TABLE      13   /* Table Name      NULL
*/
#define SQLITE_DROP_TEMP_TRIGGER    14   /* Trigger Name    Table Name
*/
#define SQLITE_DROP_TEMP_VIEW       15   /* View Name       NULL
*/
#define SQLITE_DROP_TRIGGER         16   /* Trigger Name    Table Name
*/
#define SQLITE_DROP_VIEW            17   /* View Name       NULL
*/
#define SQLITE_INSERT               18   /* Table Name      NULL
*/
#define SQLITE_PRAGMA               19   /* Pragma Name     1st arg or NULL
*/
#define SQLITE_READ                 20   /* Table Name      Column Name
*/
#define SQLITE_SELECT               21   /* NULL            NULL
*/
#define SQLITE_TRANSACTION          22   /* Operation       NULL
*/
#define SQLITE_UPDATE               23   /* Table Name      Column Name
*/
#define SQLITE_ATTACH               24   /* Filename        NULL
*/
#define SQLITE_DETACH               25   /* Database Name   NULL
*/
#define SQLITE_ALTER_TABLE          26   /* Database Name   Table Name
*/
#define SQLITE_REINDEX              27   /* Index Name      NULL
*/
#define SQLITE_ANALYZE              28   /* Table Name      NULL
*/
#define SQLITE_CREATE_VTABLE        29   /* Table Name      Module Name
*/
#define SQLITE_DROP_VTABLE          30   /* Table Name      Module Name
*/
#define SQLITE_FUNCTION             31   /* NULL            Function Name
*/
#define SQLITE_SAVEPOINT            32   /* Operation       Savepoint Name
*/
#define SQLITE_COPY                  0   /* No longer used */
#define SQLITE_RECURSIVE            33   /* NULL            NULL
*/


On Sat, May 6, 2017 at 6:24 AM, Gwendal Roué <[email protected]> wrote:

>
> > Le 6 mai 2017 à 15:12, Gwendal Roué <[email protected]> a écrit :
> >
> > Hello,
> >
> > This email contains a patch that introduces a new authorizer action
> code: SQLITE_READ_TABLE.
>
> My patch did not work when the authorizer callback would not return
> SQLITE_OK.
>
> Please find the fixed patch below:
>
> $ fossil info
> project-name: SQLite
> repository:   /Users/groue/Documents/git/sqlite/sqlite.fossil
> local-root:   /Users/groue/Documents/git/sqlite/
> config-db:    /Users/groue/.fossil
> project-code: 2ab58778c2967968b94284e989e43dc11791f548
> checkout:     b9a58daca80a815e87e541cb5fff9bc8b93f131d 2017-05-04
> 11:13:50 UTC
> parent:       e24b73820cdca07eee87853fe6dd9f60d76e039e 2017-05-03
> 19:36:50 UTC
> tags:         trunk
> comment:      Fix a collision of the "B0" identifier name between the
> termios.h header file and the SHA3 implementation in the shell. (user: drh)
> check-ins:    18701
>
> $ fossil diff
> Index: src/select.c
> ==================================================================
> --- src/select.c
> +++ src/select.c
> @@ -4370,10 +4370,15 @@
>      }else{
>        /* An ordinary table or view name in the FROM clause */
>        assert( pFrom->pTab==0 );
>        pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);
>        if( pTab==0 ) return WRC_Abort;
> +      int iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
> +      if( sqlite3AuthCheck(pParse, SQLITE_READ_TABLE, pTab->zName, 0,
> db->aDb[iDb].zDbSName) ){
> +        pFrom->pTab = 0;
> +        return WRC_Abort;
> +      }
>        if( pTab->nTabRef>=0xffff ){
>          sqlite3ErrorMsg(pParse, "too many references to \"%s\": max
> 65535",
>             pTab->zName);
>          pFrom->pTab = 0;
>          return WRC_Abort;
>
> Index: src/sqlite.h.in
> ==================================================================
> --- src/sqlite.h.in
> +++ src/sqlite.h.in
> @@ -2824,10 +2824,11 @@
>  #define SQLITE_DROP_VTABLE          30   /* Table Name      Module Name
>    */
>  #define SQLITE_FUNCTION             31   /* NULL            Function
> Name   */
>  #define SQLITE_SAVEPOINT            32   /* Operation       Savepoint
> Name  */
>  #define SQLITE_COPY                  0   /* No longer used */
>  #define SQLITE_RECURSIVE            33   /* NULL            NULL
>   */
> +#define SQLITE_READ_TABLE           34   /* Table Name      NULL
>   */
>
>  /*
>  ** CAPI3REF: Tracing And Profiling Functions
>  ** METHOD: sqlite3
>  **
>
> _______________________________________________
> sqlite-users mailing list
> [email protected]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to