Tarantool development patches archive
 help / color / mirror / Atom feed
From: Konstantin Osipov <kostja@tarantool.org>
To: Ilya Markov <imarkov@tarantool.org>
Cc: georgy@tarantool.org, tarantool-patches@freelists.org
Subject: [tarantool-patches] Re: [security 2/2] security: Refactor system space access checks
Date: Wed, 16 May 2018 22:27:26 +0300	[thread overview]
Message-ID: <20180516192726.GB9640@atlas> (raw)
In-Reply-To: <409d4eb26a35f40309ef25b1fe291f3ec5ddb911.1526474053.git.imarkov@tarantool.org>

* Ilya Markov <imarkov@tarantool.org> [18/05/16 15:39]:
>  	/*
> -	 * XXX: pre 1.7.7 there was no specific 'CREATE' or
> -	 * 'ALTER' ACL, instead, read and write access on universe
> -	 * was used to allow create/alter.
> -	 * For backward compatibility, if a user has read and write
> -	 * access on the universe, grant it CREATE access
> -	 * automatically.
> -	 * The legacy fix does not affect sequences since they
> -	 * were added in 1.7.7 only.
> +	 * If a user has write access on the universe,
> +	 * grant it CREATE, DROP, ALTER access automatically.
>  	 */
> -	if (is_17_compat_mode && has_access & PRIV_R && has_access & PRIV_W)
> -		has_access |= PRIV_C | PRIV_A;
> +	if (has_access & PRIV_W)
> +		has_access |= PRIV_C | PRIV_A | PRIV_D;
>  

I see no point in such automatic grant other than
1.7.7 compatibility.


> -	user_access_t access = ((PRIV_U | (user_access_t) priv_type) &
> -				~has_access);
> +	user_access_t access = ((user_access_t) priv_type & ~has_access);
>  	bool is_owner = owner_uid == cr->uid || cr->uid == ADMIN;
>  	/*
>  	 * Only the owner of the object or someone who has
> -	 * specific DDL privilege on the object can execute
> -	 * DDL. If a user has no USAGE access and is owner,
> -	 * deny access as well.
> +	 * specific DDL privilege on the object can execute DDL.
>  	 */
> -	if (access == 0 || (is_owner && !(access & PRIV_U)))
> +	if (access == 0 || is_owner)

I don't understand this change. Why did 'usage' disappear? Even
the owner of the object can do nothing if they have no 'usage'
access.

>  	access_check_ddl(old_space->def->name, old_space->def->uid, SC_SPACE,
> -			 priv_type, true);
> +			 priv_type, BOX_SPACE_ID);

Why did you need these changes? Could you describe in the
changeset comment the idea of this patch?

>  	/*
> -	 * Check if a write privilege was given, raise an error if not.
> +	 * Perform checks specific for space. Then perform usual check_ddl.
>  	 */
> -	access_check_space_xc(old_space, PRIV_W);
> +	credentials *cr = effective_user();
> +	uint32_t has_access = cr->universal_access |
> +			      old_space->access[cr->auth_token].effective;
> +	if (!(has_access & (PRIV_W | PRIV_D))) {
> +		access_check_ddl(old_space->def->name, old_space->def->uid,
> +				 SC_SPACE,
> +				 PRIV_D, BOX_SPACE_ID);
> +	}

(stopped the review)

This is a huge patch. Any chance of splitting it?

-- 
Konstantin Osipov, Moscow, Russia, +7 903 626 22 32
http://tarantool.io - www.twitter.com/kostja_osipov

  reply	other threads:[~2018-05-16 19:27 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-16 12:37 [tarantool-patches] [security 0/2] System spaces access control lists Ilya Markov
2018-05-16 12:37 ` [tarantool-patches] [security 1/2] security: Refactor reads from systems spaces Ilya Markov
2018-05-16 19:22   ` [tarantool-patches] " Konstantin Osipov
2018-05-16 12:37 ` [tarantool-patches] [security 2/2] security: Refactor system space access checks Ilya Markov
2018-05-16 19:27   ` Konstantin Osipov [this message]
2018-05-17 16:15     ` [tarantool-patches] [security 0/2] Access control lists Ilya Markov
2018-05-17 16:15       ` [tarantool-patches] [security 1/2] security: Refactor reads from systems spaces Ilya Markov
2018-05-17 16:15       ` [tarantool-patches] [security 2/2] security: Refactor system space access checks Ilya Markov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180516192726.GB9640@atlas \
    --to=kostja@tarantool.org \
    --cc=georgy@tarantool.org \
    --cc=imarkov@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='[tarantool-patches] Re: [security 2/2] security: Refactor system space access checks' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox