Mailing List Archive


Back to the month index Back to the list index
Andy Mitchell (afm@biotech.ufl.edu)
Wed, 30 Apr 1997 10:34:40 -0500 

Message-Id: <199704301534.KAA02150@snarl.biotech.ufl.edu>
Subject: Re: [mSQL] Help with acl - please 
Date: Wed, 30 Apr 1997 10:34:40 -0500
From: Andy Mitchell <afm@biotech.ufl.edu>

+-- Jeff Pooser <jpooser@mars.gsd.harvard.edu>, wrote:
|
| Hey- i resemble that remark :) although I did suggest reloading the
| server, because everything looked fine with your acl file-

;-)

| To further my shame, it appears as if it doesn't actually work ok for
| me....
|
| I have the same symptoms as you:
|
| My attempt to INSERT to a db write protected by acl fails, but like
| yourself, an update statment seems to get thru the security...

In your example, as in mine, we inserted into the *database* not the table.
Someone pointed out that the acl list protects the tables not the database.

Well...

1.) It seems kind of stupid to even allow inserts and updates to the databse
then - what kind of security is that? "Hmm..can't insert into footbl because
I don't have wrte privs. Hey, how about I just update foo instead?"

2.) It's wrong anyway. I just tried my example with insert and update to a
table (isntead of db) and have the same problem. I am going to keep on
probing. If I discover anything I would be happy to let you know. Hopefully,
after my previous crack, you'll still be willing to let me know what you
find, too. ;-)

Cheers,
        Andy

ps. It just occurred to me that (in your example below) maybe your databse
and table share the same name. In any case, it is still a problem!

--------------------------------------------------------------------------
To remove yourself from the Mini SQL mailing list send a message containing
"unsubscribe" to "unsubscribe" to msql-list-request@bunyip.com. Send a message containing
"info msql-list" to majordomo@bunyip.com for info on monthly archives of
the list. For more help, mail owner-msql-list@bunyip.com NOT the msql-list!