> On Friday 19 October 2007 15:53, Vlad Khorsun wrote:
> > Everyone may create database and occupy whole hdd by it. Is it good ?
>
> Everyone granted insert to any table can do it :)

But we can REVOKE INSERT and can't REVOKE CREATE DATABASE

> > > For me this restriction is not enough to make use of unsafe external
> > > languages safe. I already preview security advisory - granting user
> > > CREATE DATABASE right in fb 2.5 makes it possible for him to execute
> > > arbitrary code. May be better automatically turn off unsafe languages for
> > > non-SYSDBA?
> >
> > I prefer to not separate safe\unsafe languages. SQL\EXTERNAL is enough
> > for me.
>
> I'd prefer to configure availability per-language, i.e.
> GRANT EXTERNAL LANGUAGE JAVA TO <user>

Why do we need it ?

> > And, yes, we may allow to EXECUTE\SELECT any EXTERNAL SP only by
> > SYSDBA by default (or something like this)
>
> This will be OK.

Then - ok ;)

Regards,
Vlad