Subject Re: [Firebird-Architect] External engines - metadata
Author Vlad Khorsun
> Vlad Khorsun wrote:
>>> 2) We are defining a public plugin interface or something only the FB
>>> project may use and can change in each version?
>> I see no relation between this question and subject of discussion.
> It's related, as a "second version" of Java plugin may not have
> necessary foundations to work.

We not going to change plugin interface v1 in v2 of this interface.
Only extend it when necessary. And i still see no relation between
all this security questions and interface between plugin and engine

>>> Vlad, if official Java plugin allows only to execute classes that user
>>> should invent a way to put in the server, it will certainly not be very
>>> usable.
>> Why ? Why Java classes is better than current UDF's ? It is safe ?
>> Really ?
> Yes it's safe because it runs in JVM, or in a managed environment in MS
> words for .NET.

Its safety depends on how its tuned

> It's safer as PSQL. One could do bad things with both, for example,
> writing endless loop.
>> Or sysadmin (not dba !) must configure Java on his computer
>> first to make is safe ?
> It seems we agreed to deliver default configuration file to runs Java
> classes with untrusted applet permissions.
> I don't worry to use my browser with this on, why a sysadmin may block a
> DBA, please?

>> And made it not usable at the same time if classes
>> want to do something forbidden ;)

Sysadmin might forbid, for example, to create sockets or close some ports
on firewall while new Java procudere might want to use it.

>> Correct me where i'm wrong :
>> I'm ISP\sysadmin. I'm allow you (dba) to run your database on my
>> computer. I configure JVM and disallow any Java code to write into FS.
>> You (dba) can't configure JVM instance hosted by database engine to do
>> something i'm not allow. I (ISP) don't want to approve any of your UDF's
>> independent on which language you write it. I (ISP) don't trust you (dba)
>> to configure security on my machine. All i can allow you to do is to run
>> database engine which is more or less trusted to me.
> Master configuration file (edited by ISP sysadmin) or security
> permissions created by a SYS user (SYS = sysadmin, different from
> SYSDBA) is the definitive authority, nobody can give more privileges
> than it.
> But DBA will can revoke privileges per user.

Why DBA must think about file-level privileges ??? He must think about
_database_ and _database objects_. All other is sysadmin's responsibility

> We do want different permission per language for DECLARE.
> Sorry, but reasons is in all mails and you may read again, I'll not
> insist on this.

Explained and agreed in another message

>>> doesn't make sense because:
>>> 1) If well configured, Java code is safe as PSQL
>> I (ISP) don't trust you (dba). Remember it ;) Hence there is no sence
>> to configure Java security through database.
> ISP/sysadmin is the master, remember?

Yes, and what ?

>> But it is still required to allow\
>> disallow users to execute procedures. Independent of language. And this is
>> required by dba, not ISP.
> No problem, we already have EXECUTE permission and I don't thing we
> should change it.


>>> 2) No matter how good configured, binary machine code is not safe - I
>>> see no comments from you about "security by obscurity" that I told
>> Because it's not "security by obscurity". Nobody can override FS
>> permissions. And if you don't know allowed directory - you can't write
>> anything anywhere.
> Really? What about /tmp or FB directory installation?

What about firebird.conf settings ? ;)

>> Again, please, define goals and problems. Imagine i know nothing
>> about Java, JMV, Java security etc...
> I imagined, as that seems to be true. :-)))

We talking about our own imaginations. As you started this discussion,
i ask you to be more clear and concrete ;) Examples or links to the other's
documentations might be big help