| Subject | Re: [IBDI] Security Questions |
|---|---|
| Author | Helen Borrie |
| Post date | 2000-07-03T11:21:31Z |
David,
This looks important. I suggest posting it again on Thursday (Aus. time)
to the IB-Priorities list.
In the States they are all on holiday until Wednesday (US time) for
Independence Day.
Helen
At 08:04 PM 03-07-00 +1000, you wrote:
___________________________________________________
"Ask not what your free, open-source database can do for you,
but what you can do for your free, open-source database."
(J.F.K.)
This looks important. I suggest posting it again on Thursday (Aus. time)
to the IB-Priorities list.
In the States they are all on holiday until Wednesday (US time) for
Independence Day.
Helen
At 08:04 PM 03-07-00 +1000, you wrote:
>1. The IB6 Beta SS for Linux includes a populated user list including:http://www.interbase2000.org
>
> CANWEPARSELENGTH18
> CUGINI
> GUEST
> HU
> KUMAR
> MCGINN
> QATEST
> QA_USER1
> QA_USER2
> QA_USER3
> QA_USER4
> QA_USER5
> SCHANZLE
> SHAKIM
> SHUT1
> SHUT2
> SULLIVAN
> SULLIVAN1
> SYSDBA
>
> Now obviously "SYSDBA" has to stay, but will all the others be removed
> before IB6 is officially released? If not, it could potentially lead to
> IB6 systems being broken into due to the distribution of way too many
> "default accounts" (beyond just "SYSDBA" - and everyone's remembered to
> change the default password, right?).
>
>2. Any local (UNIX) user can potentially connect to the ISC4 database and
> read the encrypted password field:
>
> SQL> CONNECT '/usr/interbase/isc4.gdb';
> SQL> SELECT USER_NAME, PASSWD FROM USERS;
>
> Whilst I haven't tried this yet (running Crack, perhaps modified), those
> passwords look awfully similar to UNIX crypt'd passwords (perhaps minus
> the salt). Would IB user authentication break severely if that field was
> not readable to regular users?
>
>3. The ISC4 database is owned by "BUILDER" (with other references to "PUBLIC"
> in the priv's table); are these treated specially (or at least, within
> the ISC4 database) or would the existance of a UNIX-level user called
> "builder" (or "public" for that matter) suddenly open up the core IB
> security database (given that local users don't appear to have to
> authenticate themselves)?
>
>Basically I'm trying to identify potential interdependencies between IB's
>security model and the external host environment (ie., changes to the local
>host environment that could break or lessen IB security); it's not a
>scientific security audit per se, just some questions that were raised whilst
>examining IB for a production environment.
>
>Comments/corrections/pointers appreciated, thanks..
>
>
>dave
>
>
>------------------------------------------------------------------------
>Challenged with e-Business quality management? Register for a free
>Webinar featuring e-business testing and performance experts.
>http://click.egroups.com/1/5935/5/_/679568/_/962618934/
>------------------------------------------------------------------------
>
>Community email addresses:
> Post message: IBDI@onelist.com
> Subscribe: IBDI-subscribe@onelist.com
> Unsubscribe: IBDI-unsubscribe@onelist.com
> List owner: IBDI-owner@onelist.com
>
>Shortcut URL to this page:
> http://www.onelist.com/community/IBDI
___________________________________________________
"Ask not what your free, open-source database can do for you,
but what you can do for your free, open-source database."
(J.F.K.)