angel@brl-adm.ARPA (Rick Angelini <angel>) (09/08/87)
MORE INVESTIGATION on ..... To: manatt@lll-winken.ARPA Subject: Re: Security hole in RTI ingres Newsgroups: comp.databases ------------------------------------------- I have done further investigation since my previous message about updating system catalogs ...... Yes, there is indeed a hole in the table permissions. A user may append/delete/modify any system table, without special flags or special permissions. There exists a flag in the user profile which determines whether or not a particular user is permitted to updates system tables, but Ingres appears to ignore that flag. The hardest part of any user updating the system tables in knowing the names of the system tables, 'cause they don't show up on a 'help' command. So, to recap, as long as the user uses the Ingres "front ends" such as Vigraph or Vifred, the system tables will not be corrupted. The worst that will happen is that there will be two forms of the same name, one owned by the Db owner, the other owned by the user. However, if the user gets nasty and goes into "quel" and does a "delete iiqbfinfo\g", that system table will have zero rows in it. Not very nice, is it?
larry@postgres.uucp (Larry Rowe) (09/09/87)
In article <9199@brl-adm.ARPA> angel@brl-adm.ARPA (Rick Angelini <angel>) writes: >MORE INVESTIGATION on ..... > >Yes, there is indeed a hole in the table permissions. A user may >append/delete/modify any system table, without special flags or >special permissions. There exists a flag in the user profile which >determines whether or not a particular user is permitted to updates >system tables, but Ingres appears to ignore that flag. The security flag controls the system tables managed by the back-end (e.g., relation, attribute, indexes, protection, tree, and the statistics tables). the front-end tables are not protected. the reason is that the front-end programs themselves have to update the tables. ingres would have to be modified to determine which updates were valid (i.e., legal updates from front-end packages) and which were invalid (i.e., user-supplied updates). it would take some energy to put into the system. RTI hasn't done it because there were/are other features deemed more important. in fact, there have been times that the feature has been used by application builders to clean-up problems they created and to perform operations not directly supported by the front-end tools. nevertheless, it is a hole that should be fixed someday. larry