[patches] Re: [security 1/1] security: Prohibit to drop super role
Konstantin Osipov
kostja at tarantool.org
Mon Jan 29 21:16:17 MSK 2018
* imarkov <imarkov at tarantool.org> [18/01/29 16:58]:
> ---
> src/box/lua/schema.lua | 5 +++--
> src/box/lua/space.cc | 2 ++
> src/box/user_def.h | 1 +
> test/box/access.result | 12 ++++++++++++
> test/box/access.test.lua | 3 +++
> 5 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
> index 207e944..28e4d81 100644
> --- a/src/box/lua/schema.lua
> +++ b/src/box/lua/schema.lua
> @@ -2070,7 +2070,8 @@ box.schema.user.drop = function(name, opts)
> box.error(box.error.DROP_USER, name,
> "the user or the role is a system")
> end
> - if uid == box.session.uid() or uid == box.session.euid() then
> + if uid == box.session.uid() or uid == box.session.euid()
> + or uid == box.schema.SUPER_ROLE_ID then
> box.error(box.error.DROP_USER, name,
> "the user is active in the current session")
These checks should happen in C code, not Lua code.
> diff --git a/src/box/user_def.h b/src/box/user_def.h
> index 1104ec6..8bf31c2 100644
> --- a/src/box/user_def.h
> +++ b/src/box/user_def.h
> @@ -170,6 +170,7 @@ enum {
> GUEST = 0,
> ADMIN = 1,
> PUBLIC = 2, /* role */
> + SUPER = 31, /* role */
> BOX_SYSTEM_USER_ID_MAX = PUBLIC
> };
>
OK
--
Konstantin Osipov, Moscow, Russia, +7 903 626 22 32
http://tarantool.org - www.twitter.com/kostja_osipov
More information about the Tarantool-patches
mailing list