Vlad Horsun wrote:

>"
>
> I'm pretty sure that current security rules for EXECUTE STATEMENT is a
>good and right rules. Dynamic SQL must be checked against privileges of its
>creator. Since we can't check whether this dynamic statement wrote by
>procedure creator within that procedure or came into procedure as parameter
>then we must apply most strong security check. For example
>
>CREATE PROCEDURE EXEC_ALL (SQL VARCHAR(4096))
>AS
>BEGIN
> EXECUTE STATEMENT :SQL;
>END
>
> Since "SQL" is written by calling user then it must be checked against
>privileges of that user.
>

No, that's not right. The statements should be checked by the agent who
tries to execute it. The fact that your mother-in-law may have written
the actual SQL has nothing to do with the matter.

>Procedure creator knows nothing about this statement.
>Procedure privileges has nothing common with that dynamic statement.
>

Wrong again. A procedure writer is responsible for using his privileges
properly as is any software author. This privileges come from the union
of the user and procedures privileges. This should apply like any other
statements.

That said, I favor (and have implemented) a mechanism by which
privileges can be drop and resumed at runtime; this is critical
functionality for any web application. But this should apply to all
statements uniformly and not have separate rules for static and dynamic
statements.

> Else
>we can have big security hole in worst case.
>
>

No, we don't have a security hole, a bad programmer has a security
hole. But this is hardly new and is probably unavoidable.


--

Jim Starkey
Netfrastructure, Inc.
978 526-1376