Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unprivileged user can delete from RDB$DATABASE, RDB$COLLATIONS, RDB$CHARACTER_SETS [CORE3735] #4080

Closed
firebird-issue-importer opened this issue Jan 18, 2012 · 18 comments

Comments

@firebird-issue-importer

Submitted by: @pavel-zotov

Is related to QA570
Relate to CORE4731

ISQL Version: LI-V2.5.2.26390 Firebird 2.5
Server version:
LI-V2.5.2.26390 Firebird 2.5

[firebird@firebirdG empbuild]$ isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'aaa.fdb'; commit;
SQL> connect aaa.fdb user usrxxx password 123;
Database: aaa.fdb, User: usrxxx
SQL> delete from rdb$collations;
SQL> commit;
Segmentation fault (core dumped)

Commits: f011229

====== Test Details ======

17.12.2016: it seems that we have to reduce value of min_profit_for_fetches from 2.5 to 2.35:
detected several times violation of this threshold, starting from 4.0.0.459 (date: ~ 25-Nov-2016).
Examples:
http://web.firebirdsql.org/download/prerelease/results/archive/4.0.0.459/
http://web.firebirdsql.org/download/prerelease/results/archive/4.0.0.463/
http://web.firebirdsql.org/download/prerelease/results/archive/4.0.0.466/

Sent letter to dimitr, hvlad 17.12.2016 10:33, waiting for reply.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Commented by: @dyemanov

It should be prohibited for collations in v3. Perhaps for charsets too, I don't remember (it would be trivial to fix otherwise). As for RDB$DATABASE, I suppose a special solution (not ACL related) should be applied. The easiest thing would be to just unconditionally prohibit deletions from this table for everyone.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Modified by: @pavel-zotov

description: [firebird@firebirdG empbuild]$ isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'aaa.fdb'; commit;
SQL> connect aaa.fdb user usrxxx password 123;
Database: aaa.fdb, User: usrxxx
SQL> delete from rdb$collations;
SQL> commit;
Segmentation fault (core dumped)

=>

ISQL Version: LI-V2.5.2.26390 Firebird 2.5
Server version:
LI-V2.5.2.26390 Firebird 2.5

[firebird@firebirdG empbuild]$ isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'aaa.fdb'; commit;
SQL> connect aaa.fdb user usrxxx password 123;
Database: aaa.fdb, User: usrxxx
SQL> delete from rdb$collations;
SQL> commit;
Segmentation fault (core dumped)

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Modified by: @dyemanov

assignee: Alexander Peshkov [ alexpeshkoff ] => Dmitry Yemanov [ dimitr ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Modified by: @dyemanov

Version: 2.5.1 [ 10333 ]

Version: 2.1.4 [ 10361 ]

Version: 2.5.0 [ 10221 ]

Version: 2.0.6 [ 10303 ]

Version: 3.0 Initial [ 10301 ]

Version: 2.1.3 [ 10302 ]

Version: 2.1.2 [ 10270 ]

Version: 2.0.5 [ 10222 ]

Version: 2.1.1 [ 10223 ]

Version: 2.1.0 [ 10041 ]

Component: Engine [ 10000 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Commented by: Claudio Valderrama C. (robocop)

Prohibit deletions, insertions and modifications. AFAIK, writing there is not the user business.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 18, 2012

Commented by: @pavel-zotov

> writing there is not the user business.

nobody knows which knowledges and skills are in heads of our users...
for example, in my job there is one person who has graduated in Moscow Univercity (Department of Cybernetics).
I'm sure that he can without any difficulties to install FB client on his machine and make such actions and more other 'magic things' :-)
Fortunately, currently he is occupied on quite another job - he is just storekeeper :-)

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 19, 2012

Commented by: @dyemanov

Deletions can be prohibited unconditionally, hence my suggestion. Insertions and modifications require special checks because these operations can be performed by the engine itself.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 20, 2012

Modified by: @dyemanov

summary: user without any rights can delete from RDB$DATABASE, RDB$COLLATIONS, RDB$CHARACTER_SETS => Unprivileged user can delete from RDB$DATABASE, RDB$COLLATIONS, RDB$CHARACTER_SETS

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 20, 2012

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 20, 2012

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 Alpha 1 [ 10331 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Mar 24, 2012

Commented by: @pavel-zotov

sorry, I forgot about this ticket and have added some comments to another one (CORE3797).

Suddenly encountered that non-priviledged user can also delete the following objects that were created by SYSDBA:
1) SEQUENCES and
2) EXCEPTIONS

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Mar 25, 2012

Commented by: @dyemanov

This was known and fixed as well.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Mar 29, 2014

Modified by: @pcisar

Link: This issue is related to QA570 [ QA570 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented May 31, 2015

Modified by: @dyemanov

Link: This issue relate to CORE4731 [ CORE4731 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jul 13, 2015

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Dec 17, 2016

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully => Done with caveats

Test Details: 17.12.2016: it seems that we have to reduce value of min_profit_for_fetches from 2.5 to 2.35:
detected several times violation of this threshold, starting from 4.0.0.459 (date: ~ 25-Nov-2016).
Examples:
http://web.firebirdsql.org/download/prerelease/results/archive/4.0.0.459/
http://web.firebirdsql.org/download/prerelease/results/archive/4.0.0.463/
http://web.firebirdsql.org/download/prerelease/results/archive/4.0.0.466/

Sent letter to dimitr, hvlad 17.12.2016 10:33, waiting for reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment