db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Satheesh Bandaram <sathe...@Sourcery.Org>
Subject Re: Right place to save database owner ...
Date Tue, 28 Feb 2006 21:23:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
Daniel John Debrunner wrote:<br>
<blockquote cite="mid4404B64F.8010403@apache.org" type="cite">
  <pre wrap="">Satheesh Bandaram wrote:
[snip]
  </pre>
  <blockquote type="cite">
    <pre wrap="">I will add RoutinePermsDescriptors to allow execute privilege to
other system routines that all users should be able to invoke by
default. (like SYSCS_GET_DATABASE_PROPERTY, SYSCS_EXPORT_TABLE,
SYSCS_GET_RUNTIMESTATISTICS, SYSCS_IMPORT_TABLE,
SYSCS_SET_STATISTICS_TIMING, SYSCS_SET_RUNTIMESTATISTICS,
SYSCS_INPLACE_COMPRESS_TABLE, SYSCS_COMPRESS_TABLE)
    </pre>
  </blockquote>
  <pre wrap=""><!---->
SYSCS_GET_DATABASE_PROPERTY seems like one that should be restricted to
database owner. Not sure on the compress tables ones, seem more like
database owner.
  </pre>
</blockquote>
Right. Probably SYSCS_GET_DATABASE_PROPERTY should be restricted. If
BUILTIN authentication is being used, this can be used to get other
user passwords... Compress routines would still need schema owner
privilege to actually succeed. (at least offline version. There is a
defect open for inline version to change implementation) Would we like
to restrict them to DBA only for heavy resource use?<br>
<blockquote cite="mid4404B64F.8010403@apache.org" type="cite">
  <blockquote type="cite">
    <pre wrap="">I also think all routines in SYSIBM schema should be executable by
all.
Only DBA access for INSTALL_JAR, REMOVE_JAR and REPLACE_JAR, by default?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Any chance of a list of all system procedures and if they will be
executable by public or only database owner, security invoker or definer?
  </pre>
</blockquote>
I will update functional spec with this info. It already says all
system routines have external security set to INVOKER and default to
DBA only execute privilege. I will add a table to list system routines
that can be executed by any user, so this information can be pushed to
docs later.<br>
<br>
Satheesh
<pre wrap="">
</pre>
</body>
</html>


Mime
View raw message