|Subject||Re: [IBDI] Internet|
|Author||Ann W. Harrison|
>At 09:34 AM 05-06-01 -0700, Pete Morris wrote:At 06:41 PM 6/5/2001 +1000, Helen Borrie wrote:
> >3) Create a user "pete_m" with no permissions to any databases
> >4) Log in as pete_m
> >5) Extracted the meta data for the new database without problems
> >6) Added a new table to the database without problems
>I've just done exactly the same thing on a 5.6 test database here.Turns out that if you grant select to public on rdb$relations, you
>This is NOT a Good Thing(TM).
stop users other than the owner from creating new tables ... through the GDML
interface. For reasons obscure, the SQL DDL interface ignores the grant.
Why is a grant required at all? The system relations still have a vestigial
relationship with the old GDML security, under which everything was permitted
unless explicitly prohibited. SQL security, the default on user tables,
prohibits everything that is not permitted. By granting select to public,
I switch RDB$RELATIONS from GDML to SQL security - a change that GDML notices
but SQL does not. Mysterious are the ways...
We have answers.