[patches] [security 1/1] security: Prohibit to drop super role
imarkov
imarkov at tarantool.org
Mon Jan 29 16:58:06 MSK 2018
* Create constant SUPER - id of super role
* Forward the constant to box.schema
* Add checks on drop super role
Closes #3084
Signed-off-by: imarkov <imarkov at tarantool.org>
---
src/box/lua/schema.lua | 5 +++--
src/box/lua/space.cc | 2 ++
src/box/user_def.h | 1 +
test/box/access.result | 12 ++++++++++++
test/box/access.test.lua | 3 +++
5 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
index 207e944..28e4d81 100644
--- a/src/box/lua/schema.lua
+++ b/src/box/lua/schema.lua
@@ -2070,7 +2070,8 @@ box.schema.user.drop = function(name, opts)
box.error(box.error.DROP_USER, name,
"the user or the role is a system")
end
- if uid == box.session.uid() or uid == box.session.euid() then
+ if uid == box.session.uid() or uid == box.session.euid()
+ or uid == box.schema.SUPER_ROLE_ID then
box.error(box.error.DROP_USER, name,
"the user is active in the current session")
end
@@ -2143,7 +2144,7 @@ box.schema.role.drop = function(name, opts)
return
end
if uid >= box.schema.SYSTEM_USER_ID_MIN and
- uid <= box.schema.SYSTEM_USER_ID_MAX then
+ uid <= box.schema.SYSTEM_USER_ID_MAX or uid == box.schema.SUPER_ROLE_ID then
-- gh-1205: box.schema.user.info fails
box.error(box.error.DROP_USER, name, "the user or the role is a system")
end
diff --git a/src/box/lua/space.cc b/src/box/lua/space.cc
index 3a4fe5b..6ef0573 100644
--- a/src/box/lua/space.cc
+++ b/src/box/lua/space.cc
@@ -386,6 +386,8 @@ box_lua_space_init(struct lua_State *L)
lua_setfield(L, -2, "SYSTEM_USER_ID_MIN");
lua_pushnumber(L, BOX_SYSTEM_USER_ID_MAX);
lua_setfield(L, -2, "SYSTEM_USER_ID_MAX");
+ lua_pushnumber(L, SUPER);
+ lua_setfield(L, -2, "SUPER_ROLE_ID");
lua_pushnumber(L, BOX_INDEX_MAX);
lua_setfield(L, -2, "INDEX_MAX");
lua_pushnumber(L, BOX_SPACE_MAX);
diff --git a/src/box/user_def.h b/src/box/user_def.h
index 1104ec6..8bf31c2 100644
--- a/src/box/user_def.h
+++ b/src/box/user_def.h
@@ -170,6 +170,7 @@ enum {
GUEST = 0,
ADMIN = 1,
PUBLIC = 2, /* role */
+ SUPER = 31, /* role */
BOX_SYSTEM_USER_ID_MAX = PUBLIC
};
diff --git a/test/box/access.result b/test/box/access.result
index ac53c1f..a803b60 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -779,6 +779,18 @@ box.space._user.index.name:delete{'public'}
---
- true
...
+box.schema.role.drop('super')
+---
+- error: 'Failed to drop user or role ''super'': the user or the role is a system'
+...
+box.space._user.index.name:delete{'super'}
+---
+- error: 'Failed to drop user or role ''super'': the user has objects'
+...
+#box.schema.role.info('super') > 0
+---
+- true
+...
-- gh-944 name is too long
name = string.rep('a', box.schema.NAME_MAX - 1)
---
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 59dc55f..911afee 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -306,6 +306,9 @@ box.space._user.index.name:delete{'admin'}
box.schema.role.drop('public')
box.space._user.index.name:delete{'public'}
#box.schema.role.info('public') > 0
+box.schema.role.drop('super')
+box.space._user.index.name:delete{'super'}
+#box.schema.role.info('super') > 0
-- gh-944 name is too long
name = string.rep('a', box.schema.NAME_MAX - 1)
--
2.7.4
More information about the Tarantool-patches
mailing list