| Subject | Connect using a ROLE that has not been GRANTed |
|---|---|
| Author | Jarrod Hollingworth |
| Post date | 2008-04-17T04:18:45Z |
Firebird 1.5.2
In setting up some users and roles I accidentally discovered that I can
connect specifying a role that has not been granted to the user. Is this
normal behavior?
It seems to default to the role that IS granted to the user. What happens if
there are multiple roles granted to the user? Does it default to the first?
Example follows. Users in database are SYSDBA, GENUSER (grant to role
GENROLE) and ADVUSER (grant to role ADVROLE).
Show roles and grants
---------------------
SQL> connect 127.0.0.1:test user SYSDBA password xxxxxxxx;
Database: 127.0.0.1:test, User: SYSDBA
SQL> show role;
ADVROLE GENROLE
SQL> show grant;
/* Grant permissions for this database */
GRANT SELECT, REFERENCES ON CATEGORY TO USER ADVUSER
GRANT SELECT, REFERENCES ON V_CATEGORYGEN TO USER ADVUSER
GRANT SELECT, REFERENCES ON V_CATEGORYGEN TO USER GENUSER
GRANT ADVROLE TO ADVUSER
GRANT GENROLE TO GENUSER
SQL> exit;
Connect using non granted role
------------------------------
SQL> connect 127.0.0.1:test user GENUSER role ADVROLE password xxxxxxxx;
Database: 127.0.0.1:test, User: GENUSER, Role: ADVROLE
Test privileges
---------------
SQL> select id from category;
Statement failed, SQLCODE = -551
no permission for read/select access to TABLE CATEGORY
SQL> select id from v_categorygen;
ID
============
0
1
2
3
4
5
[The above is correct for the users GRANTed role, not the connect role]
I would not have expected the connect to succeed. The privileges follow that
of role GENROLE which IS granted to the user but was not specified in the
connection. ie. No security breach but strange that the connection succeeded
and role seems to default to users granted role.
Regards,
Jarrod Hollingworth
### Complete Time Tracking ###
### EASY, ACCURATE and FLEXIBLE time tracking ###
### for single or multiple users. ###
### http://www.complete-time-tracking.com ###
In setting up some users and roles I accidentally discovered that I can
connect specifying a role that has not been granted to the user. Is this
normal behavior?
It seems to default to the role that IS granted to the user. What happens if
there are multiple roles granted to the user? Does it default to the first?
Example follows. Users in database are SYSDBA, GENUSER (grant to role
GENROLE) and ADVUSER (grant to role ADVROLE).
Show roles and grants
---------------------
SQL> connect 127.0.0.1:test user SYSDBA password xxxxxxxx;
Database: 127.0.0.1:test, User: SYSDBA
SQL> show role;
ADVROLE GENROLE
SQL> show grant;
/* Grant permissions for this database */
GRANT SELECT, REFERENCES ON CATEGORY TO USER ADVUSER
GRANT SELECT, REFERENCES ON V_CATEGORYGEN TO USER ADVUSER
GRANT SELECT, REFERENCES ON V_CATEGORYGEN TO USER GENUSER
GRANT ADVROLE TO ADVUSER
GRANT GENROLE TO GENUSER
SQL> exit;
Connect using non granted role
------------------------------
SQL> connect 127.0.0.1:test user GENUSER role ADVROLE password xxxxxxxx;
Database: 127.0.0.1:test, User: GENUSER, Role: ADVROLE
Test privileges
---------------
SQL> select id from category;
Statement failed, SQLCODE = -551
no permission for read/select access to TABLE CATEGORY
SQL> select id from v_categorygen;
ID
============
0
1
2
3
4
5
[The above is correct for the users GRANTed role, not the connect role]
I would not have expected the connect to succeed. The privileges follow that
of role GENROLE which IS granted to the user but was not specified in the
connection. ie. No security breach but strange that the connection succeeded
and role seems to default to users granted role.
Regards,
Jarrod Hollingworth
### Complete Time Tracking ###
### EASY, ACCURATE and FLEXIBLE time tracking ###
### for single or multiple users. ###
### http://www.complete-time-tracking.com ###