| Subject | Re: [IBDI] Internet |
|---|---|
| Author | Jon Hall |
| Post date | 2001-06-04T16:56:02Z |
I work at a web host/isp/web development house. We offer SQL Server access
directly to anyone via TCP/IP. The users only have access to their
databases, however it is possible for anyone to see a list of databases even
in SQL2k.
You dont even need to authenticate. However in SQL Server, the sp's and
triggers are attached to the individual database and I dont think they are
viewable to anyone other than their owner.
I think the ability for anyone to add tables to any database other than
their own, is a large security hole though. Have you actually tried this
Pete?
jon
directly to anyone via TCP/IP. The users only have access to their
databases, however it is possible for anyone to see a list of databases even
in SQL2k.
You dont even need to authenticate. However in SQL Server, the sp's and
triggers are attached to the individual database and I dont think they are
viewable to anyone other than their owner.
I think the ability for anyone to add tables to any database other than
their own, is a large security hole though. Have you actually tried this
Pete?
jon
----- Original Message -----
From: "David Jencks" <davidjencks@...>
To: <IBDI@yahoogroups.com>
Sent: Monday, June 04, 2001 8:54 AM
Subject: Re: [IBDI] Internet
> Hi,
>
> I'm not entirely sure exactly what you mean by "the database would have to
> be accessible from
> > tcp/ip". If you are proposing making port 3050 accessible through a
> firewall, I think this is a security disaster waiting to happen.
>
> I don't know what isp's usually provide. I would think if one lets you
run
> a database they would also give you a ssh shell account you could
> administer it from. Does this address the problem you are trying to
solve?
>
> david jencks
>
> On 2001.06.04 12:56:58 -0400 Peter Morris wrote:
> > It may be obvious by this point that I intend to use Firebird to serve
> > data
> > on a website.
> >
> > If this were on an ISP the database would have to be accessible from
> > tcp/ip
> > so that people could maintain their databases. Unfortunately only
"real"
> > data is protected by roles etc, anyone may look at each other's
meta-data
> > and take a copy of triggers etc etc (I presume add tables too ?).
> >
> > Is there a way to stop this ? If not, is there a plan to implement a
way
> > to
> > stop this ?
> >
> > Pete
> >
> >
> > Community email addresses:
> > Post message: IBDI@yahoogroups.com
> > Subscribe: IBDI-subscribe@yahoogroups.com
> > Unsubscribe: IBDI-unsubscribe@yahoogroups.com
> > List owner: IBDI-owner@yahoogroups.com
> >
> > Shortcut URL to this page:
> > http://www.yahoogroups.com/community/IBDI
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
>
>
> Community email addresses:
> Post message: IBDI@yahoogroups.com
> Subscribe: IBDI-subscribe@yahoogroups.com
> Unsubscribe: IBDI-unsubscribe@yahoogroups.com
> List owner: IBDI-owner@yahoogroups.com
>
> Shortcut URL to this page:
> http://www.yahoogroups.com/community/IBDI
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>