Skip to content

too many grants lose privileges [CORE216] #544

@firebird-automations

Description

@firebird-automations

Submitted by: Ann Harrison (awharrison)

Relate to CORE1957
Relate to CORE2223
Is related to QA324

Votes: 3

SFID: 1089861#⁠
Submitted By: awharrison

Issuing more than 2000 grants on any one object causes
an internal buffer flow in generating the access
control list that actually enforces the rights.

GRANT INSERT ON MY_TABLE TO TRIGGER T1;
GRANT INSERT ON MY_TABLE TO TRIGGER T2;
GRANT INSERT ON MY_TABLE TO TRIGGER T3;
...
GRANT INSERT ON MY_TABLE TO TRIGGER T2201;

All the grants are on the same object - in this case a
table and are given to differen entities, in this case,
2201 different triggers. Duplicate grants don't count
in the total.

In Firebird 1.0.x, some grants will not be recognized
at runtime. Grants to procedures disappear first, then
triggers, views, and finally users.

In Firebird 1.5.x, the acl is corrupted and no access
rights are recognized.

The problem normally arises because rights granted to
triggers, views, and procedures are not removed when
the triggers, views, or procedures are deleted.

The workaround is to manually remove obsolete records
from RDB$USER_PRIVILEGES until the total number of
grants on any one object is less than 1900. The actual
restriction is that the size of the ACL must be less
than 64Kb, where each ACL consists of the name of the
object to which the grant is made and a grant type,
grantee type, and some other bytes.

Commits: aeba7e6

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions