From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp42.i.mail.ru (smtp42.i.mail.ru [94.100.177.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 6E9794765E0 for ; Wed, 23 Dec 2020 15:58:51 +0300 (MSK) Date: Wed, 23 Dec 2020 12:58:50 +0000 From: Kirill Yukhin Message-ID: <20201223125850.siignp2d2ouzu5xs@tarantool.org> References: <2cc8e87a9cf72e326e0eacec99eb127a90b3f5e1.1608547708.git.imeevma@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <2cc8e87a9cf72e326e0eacec99eb127a90b3f5e1.1608547708.git.imeevma@gmail.com> Subject: Re: [Tarantool-patches] [PATCH v1 1/1] box: remove unnecessary rights from peristent functions List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: imeevma@tarantool.org Cc: s.ostanevich@corp.mail.ru, tarantool-patches@dev.tarantool.org Hello, On 21 Dec 13:51, Mergen Imeev via Tarantool-patches wrote: > After this patch, the persistent functions "box.schema.user.info" and > "LUA" will have the same rights as the user who executed them. > > The problem was that setuid was unnecessarily set. Because of this, > these functions had the same rights as the user who created them. > However, they must have the same rights as the user who used them. > > Fixes tarantool/security#1 I've checked your patch into 2.5, 2.6 and masterr. -- Regards, Kirill Yukhin