Subject Re: [IBDI] Internet
Author Peter Morris
> AFAIK only the SYSDBA and the table owner can extract the
> metadata.

This may have been the intention, but it is not the case.

I just did this

1) Log in as sysdba
2) Create a database + table
3) Create a user "pete_m" with no permissions to any databases
4) Log in as pete_m
5) Extracted the meta data for the new database without problems
6) Added a new table to the database without problems

The difference between IB and MS SQL is twofold
1) MS SQL will not allow the above but shows a list of all databases
2) IB will allow the above, but you have to find the database first

The problem is that finding a database isn't always that difficult
(especially if the ISP insists on a convention of some kind, eg all
databases must go in your /db directory or we wont set up an ODBC entry).
You can probably (not sure though) get the path of a DB from the ODBC
connection anyway.

I think both DBs are incorrect, MS SQL should not show the other databases
unless you register them, but IB has the worst case where meta-data
(copyrighted information) is extractable without any access permission, and
the database may have new tables added !

I am sure anyone in the slightest bit concerned (paranoid ?) about their
database security will agree with me that relying on the hacker not to
"guess" where a database is is a bad idea. Unix permissions do not come
into this as it may be a windows machine.