From: Konstantin Osipov <kostja@tarantool.org> To: Ilya Markov <imarkov@tarantool.org> Cc: georgy@tarantool.org, tarantool-patches@freelists.org Subject: [tarantool-patches] Re: [security 2/2] security: Refactor system space access checks Date: Wed, 16 May 2018 22:27:26 +0300 [thread overview] Message-ID: <20180516192726.GB9640@atlas> (raw) In-Reply-To: <409d4eb26a35f40309ef25b1fe291f3ec5ddb911.1526474053.git.imarkov@tarantool.org> * Ilya Markov <imarkov@tarantool.org> [18/05/16 15:39]: > /* > - * XXX: pre 1.7.7 there was no specific 'CREATE' or > - * 'ALTER' ACL, instead, read and write access on universe > - * was used to allow create/alter. > - * For backward compatibility, if a user has read and write > - * access on the universe, grant it CREATE access > - * automatically. > - * The legacy fix does not affect sequences since they > - * were added in 1.7.7 only. > + * If a user has write access on the universe, > + * grant it CREATE, DROP, ALTER access automatically. > */ > - if (is_17_compat_mode && has_access & PRIV_R && has_access & PRIV_W) > - has_access |= PRIV_C | PRIV_A; > + if (has_access & PRIV_W) > + has_access |= PRIV_C | PRIV_A | PRIV_D; > I see no point in such automatic grant other than 1.7.7 compatibility. > - user_access_t access = ((PRIV_U | (user_access_t) priv_type) & > - ~has_access); > + user_access_t access = ((user_access_t) priv_type & ~has_access); > bool is_owner = owner_uid == cr->uid || cr->uid == ADMIN; > /* > * Only the owner of the object or someone who has > - * specific DDL privilege on the object can execute > - * DDL. If a user has no USAGE access and is owner, > - * deny access as well. > + * specific DDL privilege on the object can execute DDL. > */ > - if (access == 0 || (is_owner && !(access & PRIV_U))) > + if (access == 0 || is_owner) I don't understand this change. Why did 'usage' disappear? Even the owner of the object can do nothing if they have no 'usage' access. > access_check_ddl(old_space->def->name, old_space->def->uid, SC_SPACE, > - priv_type, true); > + priv_type, BOX_SPACE_ID); Why did you need these changes? Could you describe in the changeset comment the idea of this patch? > /* > - * Check if a write privilege was given, raise an error if not. > + * Perform checks specific for space. Then perform usual check_ddl. > */ > - access_check_space_xc(old_space, PRIV_W); > + credentials *cr = effective_user(); > + uint32_t has_access = cr->universal_access | > + old_space->access[cr->auth_token].effective; > + if (!(has_access & (PRIV_W | PRIV_D))) { > + access_check_ddl(old_space->def->name, old_space->def->uid, > + SC_SPACE, > + PRIV_D, BOX_SPACE_ID); > + } (stopped the review) This is a huge patch. Any chance of splitting it? -- Konstantin Osipov, Moscow, Russia, +7 903 626 22 32 http://tarantool.io - www.twitter.com/kostja_osipov
next prev parent reply other threads:[~2018-05-16 19:27 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-05-16 12:37 [tarantool-patches] [security 0/2] System spaces access control lists Ilya Markov 2018-05-16 12:37 ` [tarantool-patches] [security 1/2] security: Refactor reads from systems spaces Ilya Markov 2018-05-16 19:22 ` [tarantool-patches] " Konstantin Osipov 2018-05-16 12:37 ` [tarantool-patches] [security 2/2] security: Refactor system space access checks Ilya Markov 2018-05-16 19:27 ` Konstantin Osipov [this message] 2018-05-17 16:15 ` [tarantool-patches] [security 0/2] Access control lists Ilya Markov 2018-05-17 16:15 ` [tarantool-patches] [security 1/2] security: Refactor reads from systems spaces Ilya Markov 2018-05-17 16:15 ` [tarantool-patches] [security 2/2] security: Refactor system space access checks Ilya Markov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180516192726.GB9640@atlas \ --to=kostja@tarantool.org \ --cc=georgy@tarantool.org \ --cc=imarkov@tarantool.org \ --cc=tarantool-patches@freelists.org \ --subject='[tarantool-patches] Re: [security 2/2] security: Refactor system space access checks' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox