alex_vnru@... wrote:

> --- In IBDI@y..., John Culleton <service@w...> wrote:
>
>> AFAIK only the SYSDBA and the table owner can extract the
>> metadata. Read the references to permissions and security in the
>> Interbase docs if you have them.
>>
>
>
> Hi, John. Not so fine. Try to connect to your database as any user
> registered on server (in ISC4.GDB) but having not any rights within
> your database and make
>
> Select * from rdb$relations
>
>

You are correct :-( So the next level of defense is the application.
If the application program (e.g. in C language) only refers to the
tables to be read then it cannot be used for access to the system tables
in the database, or to create tables etc. Or a generalized inquiry
program could be written that forbids access to any table with a $
in the table name.

I should note that isql is a utility and not intended to be the primary
means of dealing with the database on the application level. End users
need not have access to it.

Interbase should of course provide system table security from the
beginning. This is a serious flaw. But now that the hole has been
exposed it can be dealt with. I suggest that in secure situation
access be allowed only through an html page, which calls a cgi-bin
program, which has the security measures built in as described above.

BTW what do the gurus at Borland/Inprise say about this security hole?

John Culleton