| Subject | Re: [Firebird-Architect] Create of RDB$USERS |
|---|---|
| Author | Alex Peshkov |
| Post date | 2005-10-19T15:01:18Z |
Jim Starkey wrote:
Related question - there is a real security bug, which comes from
UserName length. In order to create security class from user name,
"SQL$" prefix is added to it. That's why effective length of user name
is not 31, but 27. All checks are done for 31, not 27. Therefore 2
users, who's names differ in last 4 bytes, will have same security class
and share access rights to databases.
What should we do with it?
> Alex Peshkov wrote:Well, let's leave them 128.
>
>
>>
>>
>>Let's ask another question - who sees any problems, restricting
>>rdb$user_name to 31?
>>
>>
>>
>>
>
> I think that is an incredibly stupid idea. Why would we want to do
> that? I suspect that the current implementation has an across the board
> restriction of 31 byte for identifiers, but I want to raise this to 128
> characters anyway. What earthly good would restricting user identifiers
> to 31 characters to 31 do?
>
Related question - there is a real security bug, which comes from
UserName length. In order to create security class from user name,
"SQL$" prefix is added to it. That's why effective length of user name
is not 31, but 27. All checks are done for 31, not 27. Therefore 2
users, who's names differ in last 4 bytes, will have same security class
and share access rights to databases.
What should we do with it?