[ 
http://tracker.firebirdsql.org/browse/CORE-4985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dmitry Yemanov reopened CORE-4985:
----------------------------------

    Fix Version/s:     (was: 4.0 Alpha 1)

Re-opened due to regression found, fix is rolled back.

> Non-privileged user can implicitly count records in a restricted table
> ----------------------------------------------------------------------
>
>                 Key: CORE-4985
>                 URL: http://tracker.firebirdsql.org/browse/CORE-4985
>             Project: Firebird Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.5.5, 3.0 RC2, 4.0 Initial
>            Reporter: Pavel Zotov
>            Assignee: Dmitry Yemanov
>
> SQL> create or alter user john password '123';
> SQL> create table test(id int);
> SQL> set count on;
> SQL> insert into test select row_number()over() from rdb$types rows 7;
> Records affected: 7
> SQL> commit;
> SQL> revoke all on all from john;
> Warning: ALL on ALL is not granted to JOHN.
> SQL> commit;
> SQL> connect '/3333:e30' user john password '123';
> Database: '/3333:e30', User: JOHN
> SQL> select count(*) from test;
> Statement failed, SQLSTATE = 28000
> no permission for SELECT access to TABLE TEST ----- OK, expected
> SQL> set count on;
> SQL> select 1 from test;
>     CONSTANT
> ============
>            1
>            1
>            1
>            1
>            1
>            1
>            1
> Records affected: 7 -------------- ?? Why he can know result of COUNT(*) 
> using this way ?
> WI-V3.0.0.32136
> PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge 
> about such table, even about number of rows in it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to