A vulnerability scenario has been discovered in the default /sparql
endpoint of prior Virtuoso 7.2 releases, whereby despite defaulting to read-only access (using coarse-grained SQL ROLE based Security) certain SPARQL 1.1 INSERT & DELETE operations are possible, contrary to the perception relayed by the following error message:
Virtuoso 42000 Error SR186:SECURITY: No permission to execute procedure DB.DBA.SPARQL_DELETE_DICT_CONTENT with user ID {some-user-id}, group ID {some-sql-role-account-id}.
This issue has been resolved in the latest 7.2.4+ (3217+) build releases and available from the Virtuoso Download page.
For those running earlier releases the following SQL commands immediately secure existing instances, courtesy of Virtuoso's finer-grained Graph Security layer:
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 1); -- nobody has no access to private named graphs DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 1, 0); -- 'nobody' can only read public named graphs
Note this workaround has performance impact and can be disabled following upgrade to the new 7.2.4+ (3217+) binary. If you simply want to secure a specific named graph, you can issue the following:
DB.DBA.RDF_GRAPH_GROUP_INS ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','{named-graph-iri}') ;