[patches] [security 1/1] security: Prohibit to drop super role

Vladimir Davydov vdavydov.dev at gmail.com
Mon Jan 29 19:45:17 MSK 2018 

On Mon, Jan 29, 2018 at 04:58:06PM +0300, imarkov wrote:
> * Create constant SUPER - id of super role
> * Forward the constant to box.schema
> * Add checks on drop super role
> 
> Closes #3084
> 
> Signed-off-by: imarkov <imarkov at tarantool.org>
> ---
>  src/box/lua/schema.lua   |  5 +++--
>  src/box/lua/space.cc     |  2 ++
>  src/box/user_def.h       |  1 +
>  test/box/access.result   | 12 ++++++++++++
>  test/box/access.test.lua |  3 +++
>  5 files changed, 21 insertions(+), 2 deletions(-)
> 
> diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
> index 207e944..28e4d81 100644
> --- a/src/box/lua/schema.lua
> +++ b/src/box/lua/schema.lua
> @@ -2070,7 +2070,8 @@ box.schema.user.drop = function(name, opts)
>              box.error(box.error.DROP_USER, name,
>                        "the user or the role is a system")
>          end
> -        if uid == box.session.uid() or uid == box.session.euid() then
> +        if uid == box.session.uid() or uid == box.session.euid()
> +            or uid == box.schema.SUPER_ROLE_ID then
>              box.error(box.error.DROP_USER, name,
>                        "the user is active in the current session")

Wrong error message.

>          end
> @@ -2143,7 +2144,7 @@ box.schema.role.drop = function(name, opts)
>          return
>      end
>      if uid >= box.schema.SYSTEM_USER_ID_MIN and
> -       uid <= box.schema.SYSTEM_USER_ID_MAX then
> +       uid <= box.schema.SYSTEM_USER_ID_MAX or uid == box.schema.SUPER_ROLE_ID then

This looks ugly :-/

 - we have SYSTEM_USER_ID_MIN/MAX, but the SUPER role stands aside
 - we export the id of the SUPER role to Lua, but we don't export ids of
   GUEST, ADMIN, or PUBLIC
 - we disallow to drop GUEST/ADMIN/PUBLIC in alter.cc, but we allow to
   delete SUPER there

We need to do something about that...

>          -- gh-1205: box.schema.user.info fails
>          box.error(box.error.DROP_USER, name, "the user or the role is a system")
>      end
> diff --git a/src/box/lua/space.cc b/src/box/lua/space.cc
> index 3a4fe5b..6ef0573 100644
> --- a/src/box/lua/space.cc
> +++ b/src/box/lua/space.cc
> @@ -386,6 +386,8 @@ box_lua_space_init(struct lua_State *L)
>  	lua_setfield(L, -2, "SYSTEM_USER_ID_MIN");
>  	lua_pushnumber(L, BOX_SYSTEM_USER_ID_MAX);
>  	lua_setfield(L, -2, "SYSTEM_USER_ID_MAX");
> +	lua_pushnumber(L, SUPER);
> +	lua_setfield(L, -2, "SUPER_ROLE_ID");
>  	lua_pushnumber(L, BOX_INDEX_MAX);
>  	lua_setfield(L, -2, "INDEX_MAX");
>  	lua_pushnumber(L, BOX_SPACE_MAX);
> diff --git a/src/box/user_def.h b/src/box/user_def.h
> index 1104ec6..8bf31c2 100644
> --- a/src/box/user_def.h
> +++ b/src/box/user_def.h
> @@ -170,6 +170,7 @@ enum {
>  	GUEST = 0,
>  	ADMIN =  1,
>  	PUBLIC = 2, /* role */
> +	SUPER = 31, /* role */
>  	BOX_SYSTEM_USER_ID_MAX = PUBLIC
>  };

More information about the Tarantool-patches mailing list