Subject Re: SetUID stored procedures?
Author vandy899
--- In firebird-support@yahoogroups.com, "Steffen Heil" <lists@s...>
wrote:
> Hi
>
> > I was just thinking, for some of the tables that I've made,
> > it would be good if I could make it so that ordinary users
> > could not SELECT * (for instance) on it, nor INSERT INTO, but
> > could use stored procedures that *DO* do these things. I was
> > thinking that this could be implemented by marking those
> > stored procedures as having been marked SetUID by a
> > particular user, and so they would run with the privs of that
> > user (similar to UNIX). I don't think this is possible on
> > any other platform, but I could be wrong. Is this possible
> > on Firebird right now? I couldn't see anything like that in
> > the manual... (Mind, not even PostgreSQL has it, and they
> > seem to have *everything* under the sun...) :)
>
> It is possible right now.
> All firebird stored procedures have SetUID on, and change rights to the
> owner of the stored procedure.
>
> Example:
> Table T, Stored Procedure S
> User U and H
>
> Don't give any privileges for T to U, but all to H.
> Let S be owned by H.
> Give execute rights for S to U.
>
> Never give anyone creditials for H, but for U.
>
> Now users can access T only using S.
>
> At least this is the way I understand SQL security.
>
> Regards,
> Steffen
>
>
> [Non-text portions of this message have been removed]

That's not the way I understood it... I created these objects as
SYSDBA, GRANT EXECUTE ON PROCEDURE $PROC to $USER, but when I EXECUTE
PROCEDURE $PROC, it states that I don't have sufficient privs to
INSERT INTO - despite the fact that SYSDBA obviously has sufficient privs.

Cheers,

Michael