| Subject | Re: [Firebird-Architect] External engines - metadata |
|---|---|
| Author | Alex Peshkov |
| Post date | 2007-10-19T10:05:33Z |
On Friday 19 October 2007 13:21, Vlad Khorsun wrote:
know, on the other hand, how should it be implemented for non-security DB
based auth, but this is out of 'External engines' scope.
treat miss of special 'CREATE DATABASE' grant as extra-ordinary security
risk. As long as 'CREATE DATABASE' does not mean 'execute arbitrary code'.
For me this restriction is not enough to make use of unsafe external languages
safe. I already preview security advisory - granting user CREATE DATABASE
right in fb 2.5 makes it possible for him to execute arbitrary code. May be
better automatically turn off unsafe languages for non-SYSDBA?
> > Yes, limiting CREATE DATABASE is a possible way to go.I'm agreed that limiting right to CREATE DATABASE is useful feature. I do not
>
> Its as "must have" i'd said.
know, on the other hand, how should it be implemented for non-security DB
based auth, but this is out of 'External engines' scope.
> > But I'm afraid that weWith abiliy to restrict locations of databases using firebird.conf I do not
> > do open a can of worms here. Some legacy application can rely on ability
> > for any user to create new database. Don't ask me why it's needed, just
> > one example - program needs to store personal user settings in own
> > database (at least MS does such a trick with it's registry). Yes, it's
> > possible to rewrite that application, but to let it work right now CREATE
> > DATABASE is granted to everyone, and possible results are easy to
> > predict. I.e. I do not like making security of the system as a whole
> > dependent upon breaking old features that worked >20 years.
>
> If someone want to GRANT CREATE DATABASE TO PUBLIC its not our
> problem. But normal SQL-secuity is a "must have". It one of the our huge
> weakness.
treat miss of special 'CREATE DATABASE' grant as extra-ordinary security
risk. As long as 'CREATE DATABASE' does not mean 'execute arbitrary code'.
> Note - one may GRANT CREATE DATABASE TO PUBLIC on the specialAnd turn off unsafe languages in it? That's really good workaround.
> dedicated engine instance serving this bad legacy applications.
> > Let me point here, that if needed we may easily distinguish betweenYou mean restrict use if CREATE DATABASE?
> > database owner and SYSDBA (actually different flags in struct usr).
> > Therefore one more possible solution - external routines may be defined
> > only by SYSDBA.
>
> Its may be a solution until we implement normal security
For me this restriction is not enough to make use of unsafe external languages
safe. I already preview security advisory - granting user CREATE DATABASE
right in fb 2.5 makes it possible for him to execute arbitrary code. May be
better automatically turn off unsafe languages for non-SYSDBA?