sql/connection.cc - Issue 5125579611308032: [sql] Allow restricting database to user read access.

Side by Side Diff: sql/connection.cc

Issue 5125579611308032: [sql] Allow restricting database to user read access. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: file_util::PathExists -> base::PathExists Created 7 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sql/connection.h"	5 #include "sql/connection.h"

6	6

7 #include <string.h>	7 #include <string.h>

8	8

9 #include "base/files/file_path.h"	9 #include "base/files/file_path.h"

10 #include "base/file_util.h"	10 #include "base/file_util.h"

(...skipping 150 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
161 // handler. In that case maintain the sense of \|was_valid_\| which	161 // handler. In that case maintain the sense of \|was_valid_\| which

162 // previously held for this ref.	162 // previously held for this ref.

163 was_valid_ = was_valid_ && forced;	163 was_valid_ = was_valid_ && forced;

164 }	164 }

165	165

166 Connection::Connection()	166 Connection::Connection()

167 : db_(NULL),	167 : db_(NULL),

168 page_size_(0),	168 page_size_(0),

169 cache_size_(0),	169 cache_size_(0),

170 exclusive_locking_(false),	170 exclusive_locking_(false),

	171 restrict_to_user_(false),

171 transaction_nesting_(0),	172 transaction_nesting_(0),

172 needs_rollback_(false),	173 needs_rollback_(false),

173 in_memory_(false),	174 in_memory_(false),

174 poisoned_(false) {	175 poisoned_(false) {

175 }	176 }

176	177

177 Connection::~Connection() {	178 Connection::~Connection() {

178 Close();	179 Close();

179 }	180 }

180	181

(...skipping 540 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
721 // Histogram failures specific to initial open for debugging	722 // Histogram failures specific to initial open for debugging

722 // purposes.	723 // purposes.

723 UMA_HISTOGRAM_ENUMERATION("Sqlite.OpenFailure", err & 0xff, 50);	724 UMA_HISTOGRAM_ENUMERATION("Sqlite.OpenFailure", err & 0xff, 50);

724	725

725 OnSqliteError(err, NULL);	726 OnSqliteError(err, NULL);

726 Close();	727 Close();

727 db_ = NULL;	728 db_ = NULL;

728 return false;	729 return false;

729 }	730 }

730	731

	732 // TODO(shess): OS_WIN support?

	733 #if defined(OS_POSIX)
	Greg Billock 2013/07/15 23:26:06 Should this be treated as a DB version upgrade? Th Should this be treated as a DB version upgrade? Thinking worst-case, if it results in not being able to access the file, would we be able to roll back? Scott Hess - ex-Googler 2013/07/16 18:08:13 Not sure what you mean. If it results in not bein Show quoted text On 2013/07/15 23:26:06, Greg Billock wrote: > Should this be treated as a DB version upgrade? Thinking worst-case, if it > results in not being able to access the file, would we be able to roll back? Not sure what you mean. If it results in not being able to access the file, we're going to have to roll custom code to fix it no matter what. But older versions shouldn't have any problems reading this (if someone rolled to a new version of Chromium and then back), just as if it would be fine if they changed their umask to 0077 then back to 0022 (umask is things to mask out, apparently).
	734 if (restrict_to_user_) {

	735 DCHECK_NE(file_name, std::string(":memory"));
	Jorge Lucangeli Obes 2013/07/11 23:00:43 Does ":memory" mean a memory-backed database? Does ":memory" mean a memory-backed database? Scott Hess - ex-Googler 2013/07/15 20:50:08 Yeah, sql::Connection has separate Open() and Open Show quoted text On 2013/07/11 23:00:43, Jorge Lucangeli Obes wrote: > Does ":memory" mean a memory-backed database? Yeah, sql::Connection has separate Open() and OpenMemory() functions which both call through to this one, with ":memory:" signaling memory-backed to SQLite. This code could, probably, have been up in Open(), but I somewhat prefer to have it as close as possible to the file's creation (sqlite3_open above). Since you're good with the approach, I'm going to pass it by another sql/OWNERS member to see if they prefer a different placement.
	736 base::FilePath file_path(file_name);

	737 int mode = 0;

	738 // TODO(shess): Arguably, failure to retrieve and change

	739 // permissions should be fatal if the file exists.

	740 if (file_util::GetPosixFilePermissions(file_path, &mode)) {

	741 mode &= file_util::FILE_PERMISSION_USER_MASK;
	Greg Billock 2013/07/15 23:26:06 do we need IXUSR? How about just mode = ... ? We' do we need IXUSR? How about just mode = ... ? We're trying to tighten the permission, no? I see for symlinks, this sets the permissions on the pointed-to file. Is that OK? Thinking here... could there be configurations either with shared profiles for a workgroup, or situations with VMs or something where you can't change the file permissions that will end up getting broken by this? Scott Hess - ex-Googler 2013/07/16 18:08:13 I'm aiming for "Adjust what SQLite has done after Show quoted text On 2013/07/15 23:26:06, Greg Billock wrote: > do we need IXUSR? > > How about just mode = ... ? We're trying to tighten the permission, no? I see > for symlinks, this sets the permissions on the pointed-to file. Is that OK? I'm aiming for "Adjust what SQLite has done after accounting for umask". Since the goal is to restrict access to the data, applying to the file rather than the symlink is desirable. If we decided to trim the executable bits, to me that seems like something we should trim on ALL files, not just the login database. Likewise WRT fixing broken permissions, if someone's database is read-only, that's not specific to the login database. I suppose it would make sense to push a histogram at some point logging access(2) results for R_OK\|W_OK for each database. Show quoted text > Thinking here... could there be configurations either with shared profiles for a > workgroup, or situations with VMs or something where you can't change the file > permissions that will end up getting broken by this? This is POSIX-only. Justin indicated that Windows didn't have this class of problem (I have no idea how to _really_ determine that independently). As far as I'm aware, we don't support anything like that for OSX or Linux - and even if we did, whatever the system is would necessarily have to have consistent ownership of the files, because otherwise all sorts of things would be busted.
	742 file_util::SetPosixFilePermissions(file_path, mode);

	743

	744 // SQLite sets the permissions on these files from the main

	745 // database on create. Set them here in case they already exist

	746 // at this point. Failure to set these permissions should not

	747 // be fatal unless the file doesn't exist.

	748 base::FilePath journal_path(file_name + FILE_PATH_LITERAL("-journal"));

	749 base::FilePath wal_path(file_name + FILE_PATH_LITERAL("-wal"));

	750 file_util::SetPosixFilePermissions(journal_path, mode);
	Greg Billock 2013/07/15 23:26:06 Do we need the same "if Get { Set }" formulation h Do we need the same "if Get { Set }" formulation here? Scott Hess - ex-Googler 2013/07/16 18:08:13 The SQLite code uses the main database permissions Show quoted text On 2013/07/15 23:26:06, Greg Billock wrote: > Do we need the same "if Get { Set }" formulation here? The SQLite code uses the main database permissions for the \|mode\| parameter to open(), so I think this version is sufficient. By the same reasoning, if(Get) {Set} on the individual files should provide identical permissions to \|mode\|. The latter approach would allow for permissions to not be identical, but I just went with this because it has less code.
	751 file_util::SetPosixFilePermissions(wal_path, mode);

	752 }

	753 }

	754 #endif // defined(OS_POSIX)

	755

731 // SQLite uses a lookaside buffer to improve performance of small mallocs.	756 // SQLite uses a lookaside buffer to improve performance of small mallocs.

732 // Chromium already depends on small mallocs being efficient, so we disable	757 // Chromium already depends on small mallocs being efficient, so we disable

733 // this to avoid the extra memory overhead.	758 // this to avoid the extra memory overhead.

734 // This must be called immediatly after opening the database before any SQL	759 // This must be called immediatly after opening the database before any SQL

735 // statements are run.	760 // statements are run.

736 sqlite3_db_config(db_, SQLITE_DBCONFIG_LOOKASIDE, NULL, 0, 0);	761 sqlite3_db_config(db_, SQLITE_DBCONFIG_LOOKASIDE, NULL, 0, 0);

737	762

738 // sqlite3_open() does not actually read the database file (unless a	763 // sqlite3_open() does not actually read the database file (unless a

739 // hot journal is found). Successfully executing this pragma on an	764 // hot journal is found). Successfully executing this pragma on an

740 // existing database requires a valid header on page 1.	765 // existing database requires a valid header on page 1.

(...skipping 158 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
899 }	924 }

900	925

901 // Best effort to put things back as they were before.	926 // Best effort to put things back as they were before.

902 const char kNoWritableSchema[] = "PRAGMA writable_schema = OFF";	927 const char kNoWritableSchema[] = "PRAGMA writable_schema = OFF";

903 ignore_result(Execute(kNoWritableSchema));	928 ignore_result(Execute(kNoWritableSchema));

904	929

905 return ret;	930 return ret;

906 }	931 }

907	932

908 } // namespace sql	933 } // namespace sql

OLD	NEW

« no previous file with comments | « sql/connection.h ('k') | sql/connection_unittest.cc » ('j') | sql/connection_unittest.cc » ('J')