Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Issue Details[ Jump to Notes ]

[ Issue History ] [ Print ]

ID

0004625

Type

Category

Severity

Reproducibility

Date Submitted

Last Update

feature request

[Openbravo ERP] C. Security

major

always

2008-08-14 10:50

2024-03-14 16:48

Reporter

villind

View Status

public

Assigned To

iciordia

Priority

normal

Resolution

out of date

Fixed in Version

Status

closed

Fix in branch

Fixed in SCM revision

Projection

none

ETA

none

Target Version

OS

Any

Database

PostgreSQL

Java version

OS Version

Database version

8.3

Ant version

Product Version

2.40beta

SCM revision

Review Assigned To

Web browser

Modules

Core

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0004625: Created postgresql database user has too much permissions.

Description

Created postgresql user has superuser permissions. This means that openbravo can see and modify all other databases on postgresql server.

Steps To Reproduce

ant install.source

Proposed Solution

- Remove superuser permission.
- Remove permission to update pg_catalog

See the attached patch.

Tags

ReleaseCandidate

openbravo_postgresql_nosuperuser_permission.diff [^] (605 bytes) 2008-08-14 10:50 [Show Content] [Hide Content]

Index: src-db/database/build.xml
===================================================================
--- src-db/database/build.xml	(revision 6307)
+++ src-db/database/build.xml	(working copy)
@@ -296,10 +296,8 @@
       <transaction>
         --CREATING USER
         CREATE ROLE ${bbdd.user} LOGIN PASSWORD '${bbdd.password}'
-               SUPERUSER CREATEDB CREATEROLE
+               CREATEDB CREATEROLE
                VALID UNTIL 'infinity';
-        
-        UPDATE pg_authid SET rolcatupdate=true WHERE rolname='${bbdd.user}';
       </transaction>
     </sql>
     <sql driver="${bbdd.driver}"

Relationships [ Relation Graph ] [ Dependency Graph ]

depends on	feature request	0003392	pi	acknowledged	rmorley	Rewrite all procedures that drop/disble DB constraints
Not all the children of this issue are yet resolved or closed.

Notes
(0162192) shuehner (administrator) 2024-03-14 16:48	Outdated. But both changes mention in here have been done in the meantime.

Issue History
Date Modified	Username	Field	Change
2008-08-14 10:50	villind	New Issue
2008-08-14 10:50	villind	Assigned To	=> cromero
2008-08-14 10:50	villind	sf_bug_id	0 => 2051075
2008-08-14 10:50	villind	File Added: openbravo_postgresql_nosuperuser_permission.diff
2008-08-14 10:50	villind	Regression testing	=> No
2008-11-10 13:10	cromero	Assigned To	cromero => pjuvara
2008-11-16 18:43	pjuvara	Status	new => acknowledged
2008-11-16 18:43	pjuvara	Tag Attached: POS 2.30 Candidate
2008-11-16 18:43	pjuvara	Tag Attached: ReleaseCandidate
2008-11-16 18:43	pjuvara	Tag Detached: POS 2.30 Candidate
2008-11-16 18:43	pjuvara	Relationship added	depends on 0003392
2009-05-22 19:36	pjuvara	Assigned To	pjuvara => iciordia
2024-03-14 16:48	shuehner	Status	acknowledged => scheduled
2024-03-14 16:48	shuehner	Note Added: 0162192
2024-03-14 16:48	shuehner	Status	scheduled => closed
2024-03-14 16:48	shuehner	Resolution	open => out of date

Copyright © 2000 - 2009 MantisBT Group