Prohibit any ability to issue DML or DDL statements on RDB$ tables
------------------------------------------------------------------
Key: CORE-4731
URL: http://tracker.firebirdsql.org/browse/CORE-4731
Project: Firebird Core
Issue Type: Task
Affects Versions: 3.0 Beta 2
Reporter: Pavel Zotov
Attachments: rdb-vulnerable-statements.zip
Currently in 3.0 there are many DML and even DDL statements that allowed to be
issued against RDB$ tables.
I've made query that gathers info about every RDB$ and executes following kinds
of statements that will try to:
DML, insert
DML, select WITH LOCK
DML, update
DML, delete
DDL, add column with arbitrary name --- 'A'
DDL, alter some OLD (existed before 'A') column set NULL flag
DDL, alter some OLD (existed before 'A') column add new constraint on it
DDL, alter some OLD (existed before 'A') column set DEFAULT value
DDL, drop some OLD (existed before 'A') column
DDL, drop RDB$-table
If any statement does NOT raise exception than it is logged into special table
and than one may get overall report about full list of them.
Unfortunatelly, not only SYSDBA can make such "bad actions" but unprivileged
user too.
Scripts in attach:
1) total-dictionary-check.prepare.sql -- this is auxiliary script for creating
non-privileged user and revoke all rights from him; than DDL privilege for
creating/altering and dropping table is added (only to let him to recreate log
table which will be store permitted statements);
2) total-dictionary-check.run-it.sql -- this is the main script for check
ability to run "bad statements" against RDB$-tables.
3) rdb-vulnerable-statements-SYSDBA.log -- this is SQL commands that now are
allowed on new FB-3 database when they run by SYSDBA;
4 ) rdb-vulnerable-statements-NON_sys.log -- the same as "3" but run by
NON-PRIVILEGED user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
