[patches] [security 1/1] security: Change checks on usage access
imarkov
imarkov at tarantool.org
Mon Jan 29 17:53:12 MSK 2018
From: IlyaMarkovMipt <markovilya197 at gmail.com>
* Add following behavior:
Owner of object can't utilize her own objects if she has not usage
access.
* Change access checks of space, sequence, function objects
Similar checks of other objects are performed in alter.cc.
Signed-off-by: imarkov <imarkov at tarantool.org>
---
src/box/call.c | 3 +-
src/box/sequence.c | 4 +-
src/box/space.c | 5 +-
test/box/access_misc.result | 103 ++++++++++++++++++++++++++++++++++++++++++
test/box/access_misc.test.lua | 40 ++++++++++++++++
5 files changed, 150 insertions(+), 5 deletions(-)
diff --git a/src/box/call.c b/src/box/call.c
index 3312477..105546f 100644
--- a/src/box/call.c
+++ b/src/box/call.c
@@ -72,7 +72,8 @@ access_check_func(const char *name, uint32_t name_len, struct func **funcp)
}
user_access_t access = PRIV_X | PRIV_U;
user_access_t func_access = access & ~credentials->universal_access;
- if (func == NULL || (func->def->uid != credentials->uid &&
+ if (func == NULL || (func_access & PRIV_U) == PRIV_U ||
+ (func->def->uid != credentials->uid &&
func_access & ~func->access[credentials->auth_token].effective)) {
/* Access violation, report error. */
struct user *user = user_find(credentials->uid);
diff --git a/src/box/sequence.c b/src/box/sequence.c
index 0f6a8ca..c73e2e9 100644
--- a/src/box/sequence.c
+++ b/src/box/sequence.c
@@ -250,8 +250,8 @@ access_check_sequence(struct sequence *seq)
user_access_t access = PRIV_U | PRIV_W;
user_access_t sequence_access = access & ~cr->universal_access;
- if (seq->def->uid != cr->uid &&
- sequence_access & ~seq->access[cr->auth_token].effective) {
+ if ((sequence_access & PRIV_U) == PRIV_U || (seq->def->uid != cr->uid &&
+ sequence_access & ~seq->access[cr->auth_token].effective)) {
/* Access violation, report error. */
struct user *user = user_find(cr->uid);
if (user != NULL) {
diff --git a/src/box/space.c b/src/box/space.c
index c02eb88..056090c 100644
--- a/src/box/space.c
+++ b/src/box/space.c
@@ -55,8 +55,9 @@ access_check_space(struct space *space, user_access_t access)
*/
user_access_t space_access = access & ~cr->universal_access;
- if (space_access && space->def->uid != cr->uid &&
- space_access & ~space->access[cr->auth_token].effective) {
+ if ((space_access & PRIV_U) == PRIV_U ||
+ (space_access && space->def->uid != cr->uid &&
+ space_access & ~space->access[cr->auth_token].effective)) {
/*
* Report access violation. Throw "no such user"
* error if there is no user with this id.
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 67234ab..d358e5f 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -620,6 +620,109 @@ box.schema.user.drop('testuser')
s:drop()
---
...
+--
+-- gh-3089 usage access is not applied to owner
+--
+box.schema.user.grant("guest","read, write, execute, create", "universe")
+---
+...
+box.session.su("guest")
+---
+...
+s = box.schema.space.create("test")
+---
+...
+_ = s:create_index("prim")
+---
+...
+test_func = function() end
+---
+...
+box.schema.func.create('test_func')
+---
+...
+sq = box.schema.sequence.create("test")
+---
+...
+box.session.su("admin")
+---
+...
+box.schema.user.revoke("guest", "usage", "universe")
+---
+...
+box.session.su("guest")
+---
+...
+s:select{}
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+s:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:set(100)
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+c = require("net.box").connect(os.getenv("LISTEN"))
+---
+...
+c:call("test_func")
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+box.session.su("admin")
+---
+...
+box.schema.user.revoke("guest","read, write, execute, create", "universe")
+---
+...
+box.session.su("guest")
+---
+...
+s:select{}
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+s:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:set(100)
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+c = require("net.box").connect(os.getenv("LISTEN"))
+---
+...
+c:call("test_func")
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+box.session.su("admin")
+---
+...
+box.schema.user.grant("guest","usage", "universe")
+---
+...
+box.schema.func.drop("test_func")
+---
+...
+s:drop()
+---
+...
+sq:drop()
+---
+...
box.space._user:select()
---
- - [0, 1, 'guest', 'user', {'chap-sha1': 'vhvewKp0tNyweZQ+cFKAlsyphfg='}]
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index c23a021..18e4e68 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -243,6 +243,46 @@ box.schema.user.drop('testuser')
s:drop()
+--
+-- gh-3089 usage access is not applied to owner
+--
+box.schema.user.grant("guest","read, write, execute, create", "universe")
+box.session.su("guest")
+s = box.schema.space.create("test")
+_ = s:create_index("prim")
+test_func = function() end
+box.schema.func.create('test_func')
+sq = box.schema.sequence.create("test")
+box.session.su("admin")
+box.schema.user.revoke("guest", "usage", "universe")
+box.session.su("guest")
+
+s:select{}
+s:drop()
+sq:set(100)
+sq:drop()
+c = require("net.box").connect(os.getenv("LISTEN"))
+c:call("test_func")
+
+box.session.su("admin")
+box.schema.user.revoke("guest","read, write, execute, create", "universe")
+box.session.su("guest")
+
+s:select{}
+s:drop()
+sq:set(100)
+sq:drop()
+c = require("net.box").connect(os.getenv("LISTEN"))
+c:call("test_func")
+
+box.session.su("admin")
+
+box.schema.user.grant("guest","usage", "universe")
+
+box.schema.func.drop("test_func")
+s:drop()
+sq:drop()
+
box.space._user:select()
box.space._space:select()
box.space._func:select()
--
2.7.4
More information about the Tarantool-patches
mailing list