| Subject | RE: [IB-Architect] Journaling support? |
|---|---|
| Author | Claudio Valderrama C. |
| Post date | 2000-03-25T05:36:09Z |
> -----Original Message-----Probably you should consider special rights for:
> From: "Markus Kemper" <mkemper@...>
>
> Good points of weakness. Areas that I think could likely
> be strengthened without major changes. Others would need
> to confirm though, I am speculating.
- CREATE DATABASE: some (or several?) people run IB on its default account.
In NT, no more than the operating system itself. Running IB as a service
under another account with permissions only on the database directory and
the temp directory should alleviate things. However, I can't say for sure if
all other operating systems allow IB to run in a non-privileged account.
Even after external restrictions, any user can try to guess the temp dir
location and create a db here. Probably we need a restriction in the engine.
- EXTERNAL FILES: the other day I mapped an already extant HTML file on my
machine as an external table with a long varchar and I was able to read it.
There must be some restriction on such declarations. What if I was able to
rewrite a file by this means?
- GENERATORS: let's assume for a moment my name is Disgruntled Employee. I
want to cause havoc. I investigate metadata and discover the name of some
generators. Then I reset those triggers to zero and subsequent inserts fail.
There must be a way to restrict calls to gen_id that use an increment
different than zero, namely, calls that change the generator's value.
Perhaps generators can have full rights by default to not break existing
applications but at least some degree of protection must be possible.
- UDFs: same than previous. An UDF can do almost anything it shouldn't do.
As I understand after a brief mail exchange with Diane Brown, there's a
thing called SQL99... perhaps there's room for improvement inside the
enhancements to SQL, namely, non-proprietary extensions to allow better
security.
In the general functionality, I would love to see a
read_only/read_committed txn that doesn't stop the OAT advance.
C.
---------
Claudio Valderrama C.
Ingeniero en Informática - Consultor independiente
http://members.xoom.com/cvalde