Re: [HACKERS] RFC: Security and Impersonation

At 10:51 23/07/99 -0400, you wrote:
>
>We have some of this, I think, from ACLs on tables and views. But
>as far as I know there is not a notion of a "suid view", one with
>different privileges from its caller. It sounds like a good thing
>to work on. Is there any standard in the area?
>

I'll look through the SQL3 stuff, and see what I can find.

I've now done this,and it's in the SQL3 standard. It is implemented via
Modules. The idea being that all routines (procedures and functions) apear
in a module, and that the module can have a 'Module Authorization
Identifier'. The syntax is:

Create Module MY_MODULE Language SQL
Authorization SOME_ID

Procedure Some_Procedure....

...etc

End Module;

If the auth. ID is specified, then (quoting from the standard p. 95):

"... that <module authorization
identifier> is used as the current <authorization identifier> for
the execution of all <routine>s in the <module>. If the <module
authorization identifier> is not specified, then the SQL-session
<authorization identifier> is used as the current <authorization
identifier> for the execution of each <routine> in the <module>.

Let me know if you want to know more. The relevant standard can be found at:

ftp://gatekeeper.dec.com/pub/standards/sql/sql-foundation-aug94.txt

----------------------------------------------------------------
Philip Warner | __---_____
Albatross Consulting Pty. Ltd. |----/ - \
(A.C.N. 008 659 498) | /(@) ______---_
Tel: +61-03-5367 7422 | _________ \
Fax: +61-03-5367 7430 | ___________ |
Http://www.rhyme.com.au | / \|
| --________--
PGP key available upon request, | /
and from pgp5.ai.mit.edu:11371 |/