On Friday 19 October 2007 15:53, Vlad Khorsun wrote:

> Everyone may create database and occupy whole hdd by it. Is it good ?

Everyone granted insert to any table can do it :)

> > For me this restriction is not enough to make use of unsafe external
> > languages safe. I already preview security advisory - granting user
> > CREATE DATABASE right in fb 2.5 makes it possible for him to execute
> > arbitrary code. May be better automatically turn off unsafe languages for
> > non-SYSDBA?
>
> I prefer to not separate safe\unsafe languages. SQL\EXTERNAL is enough
> for me.

I'd prefer to configure availability per-language, i.e.
GRANT EXTERNAL LANGUAGE JAVA TO <user>

> And, yes, we may allow to EXECUTE\SELECT any EXTERNAL SP only by
> SYSDBA by default (or something like this)

This will be OK.