[patches] [security 1/1] security: Prohibit to drop super role
Vladimir Davydov
vdavydov.dev at gmail.com
Mon Jan 29 19:45:17 MSK 2018
On Mon, Jan 29, 2018 at 04:58:06PM +0300, imarkov wrote:
> * Create constant SUPER - id of super role
> * Forward the constant to box.schema
> * Add checks on drop super role
>
> Closes #3084
>
> Signed-off-by: imarkov <imarkov at tarantool.org>
> ---
> src/box/lua/schema.lua | 5 +++--
> src/box/lua/space.cc | 2 ++
> src/box/user_def.h | 1 +
> test/box/access.result | 12 ++++++++++++
> test/box/access.test.lua | 3 +++
> 5 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
> index 207e944..28e4d81 100644
> --- a/src/box/lua/schema.lua
> +++ b/src/box/lua/schema.lua
> @@ -2070,7 +2070,8 @@ box.schema.user.drop = function(name, opts)
> box.error(box.error.DROP_USER, name,
> "the user or the role is a system")
> end
> - if uid == box.session.uid() or uid == box.session.euid() then
> + if uid == box.session.uid() or uid == box.session.euid()
> + or uid == box.schema.SUPER_ROLE_ID then
> box.error(box.error.DROP_USER, name,
> "the user is active in the current session")
Wrong error message.
> end
> @@ -2143,7 +2144,7 @@ box.schema.role.drop = function(name, opts)
> return
> end
> if uid >= box.schema.SYSTEM_USER_ID_MIN and
> - uid <= box.schema.SYSTEM_USER_ID_MAX then
> + uid <= box.schema.SYSTEM_USER_ID_MAX or uid == box.schema.SUPER_ROLE_ID then
This looks ugly :-/
- we have SYSTEM_USER_ID_MIN/MAX, but the SUPER role stands aside
- we export the id of the SUPER role to Lua, but we don't export ids of
GUEST, ADMIN, or PUBLIC
- we disallow to drop GUEST/ADMIN/PUBLIC in alter.cc, but we allow to
delete SUPER there
We need to do something about that...
> -- gh-1205: box.schema.user.info fails
> box.error(box.error.DROP_USER, name, "the user or the role is a system")
> end
> diff --git a/src/box/lua/space.cc b/src/box/lua/space.cc
> index 3a4fe5b..6ef0573 100644
> --- a/src/box/lua/space.cc
> +++ b/src/box/lua/space.cc
> @@ -386,6 +386,8 @@ box_lua_space_init(struct lua_State *L)
> lua_setfield(L, -2, "SYSTEM_USER_ID_MIN");
> lua_pushnumber(L, BOX_SYSTEM_USER_ID_MAX);
> lua_setfield(L, -2, "SYSTEM_USER_ID_MAX");
> + lua_pushnumber(L, SUPER);
> + lua_setfield(L, -2, "SUPER_ROLE_ID");
> lua_pushnumber(L, BOX_INDEX_MAX);
> lua_setfield(L, -2, "INDEX_MAX");
> lua_pushnumber(L, BOX_SPACE_MAX);
> diff --git a/src/box/user_def.h b/src/box/user_def.h
> index 1104ec6..8bf31c2 100644
> --- a/src/box/user_def.h
> +++ b/src/box/user_def.h
> @@ -170,6 +170,7 @@ enum {
> GUEST = 0,
> ADMIN = 1,
> PUBLIC = 2, /* role */
> + SUPER = 31, /* role */
> BOX_SYSTEM_USER_ID_MAX = PUBLIC
> };
More information about the Tarantool-patches
mailing list