Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

too many grants lose privileges [CORE216] #544

Closed
firebird-issue-importer opened this issue Dec 22, 2004 · 12 comments
Closed

too many grants lose privileges [CORE216] #544

firebird-issue-importer opened this issue Dec 22, 2004 · 12 comments

Comments

@firebird-issue-importer

Submitted by: Ann Harrison (awharrison)

Relate to CORE1957
Relate to CORE2223
Is related to QA324

Votes: 3

SFID: 1089861#⁠
Submitted By: awharrison

Issuing more than 2000 grants on any one object causes
an internal buffer flow in generating the access
control list that actually enforces the rights.

GRANT INSERT ON MY_TABLE TO TRIGGER T1;
GRANT INSERT ON MY_TABLE TO TRIGGER T2;
GRANT INSERT ON MY_TABLE TO TRIGGER T3;
...
GRANT INSERT ON MY_TABLE TO TRIGGER T2201;

All the grants are on the same object - in this case a
table and are given to differen entities, in this case,
2201 different triggers. Duplicate grants don't count
in the total.

In Firebird 1.0.x, some grants will not be recognized
at runtime. Grants to procedures disappear first, then
triggers, views, and finally users.

In Firebird 1.5.x, the acl is corrupted and no access
rights are recognized.

The problem normally arises because rights granted to
triggers, views, and procedures are not removed when
the triggers, views, or procedures are deleted.

The workaround is to manually remove obsolete records
from RDB$USER_PRIVILEGES until the total number of
grants on any one object is less than 1900. The actual
restriction is that the size of the ACL must be less
than 64Kb, where each ACL consists of the name of the
object to which the grant is made and a grant type,
grantee type, and some other bytes.

Commits: aeba7e6

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 9, 2007

Commented by: Krzysztof Adamski (kadamski)

I have similar problem, but in my case I need big amount of triggers and grants and I cannot workaround this limitation as suggested. Here is how I tested it, I had two tables:

create table TEST_TABLE_1 (ID TP2_INTEGER not null);
create table TEST_TABLE_2 (ID TP2_INTEGER not null);

and grant insert only on the first table:

grant insert on TEST_TABLE_1 to USER_1;

so, to insert to the second table I had created a trigger:

create trigger TEST_AFTER_INSERT_TRIGGER0
for TEST_TABLE_1 active after insert position 0
as
begin
insert into TEST_TABLE_2 (ID) VALUES(http://NEW.ID);
end;

with grant:

grant insert on TEST_TABLE_2 to trigger TEST_AFTER_INSERT_TRIGGER0

I have tested it for growing amount of triggers, when 1861st trigger was created I lose proviliges on the second table, the error message was:

This user does not have privilege to perform this operation on this object.
-no permission for insert/write access to TABLE TEST_TABLE_2

Can anyboby tell me if there is any workaround for situation when I need big amount of grants on one table. I will appreciate if somebody can tell me if this limitation will be removed in the future versions of Firebird or it's just a feature which I have to accept.

Thank you,
Krzysztof Adamski

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 28, 2008

Modified by: @pcisar

Workflow: jira [ 10240 ] => Firebird [ 14469 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 24, 2008

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 24, 2008

Modified by: @dyemanov

Link: This issue relate to CORE1957 [ CORE1957 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 11, 2008

Commented by: @AlexPeshkoff

Fixed in HEAD.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 11, 2008

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.5 Beta 1 [ 10251 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 3, 2008

Modified by: @AlexPeshkoff

Link: This issue relate to CORE2223 [ CORE2223 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Feb 23, 2011

Modified by: @pcisar

Link: This issue is related to QA324 [ QA324 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Apr 25, 2013

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Apr 25, 2013

Commented by: @pcisar

Test added.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 19, 2016

Modified by: @pavel-zotov

QA Status: No test

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 19, 2016

Modified by: @pavel-zotov

QA Status: No test => Done successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants