| Subject | Re: [IBDI] Is this true? Can steal GDB file image using an external table. |
|---|---|
| Author | Dalton Calford |
| Post date | 2002-06-11T16:24:02Z |
Ok,
Yes, you can do this, although, by doing it, you will corrupt your database -
just like using the OS to copy a active database.
Your resulting file will be corrupt, your database will be corrupt.
Odds are also against you doing this on a production database because the DB
administrator would have put triggers on the system tables preventing any but
authorized users from modifying metadata.
So, overall, you have stumbled upon a neat way to destroy your data (I am sure
the nice folks at IBPhoenix would charge you a reasonable fee to try and fix
it) while not really showing a security hole (since the result of the
exercise will be a file that is even more corrupt than the database that was
damaged by the very action made to create the copy)
The security hole is a database that would allow a user to modify metadata
without authorization - bad database design and out of the realm of the
engine designers.
Best regards
Dalton
Yes, you can do this, although, by doing it, you will corrupt your database -
just like using the OS to copy a active database.
Your resulting file will be corrupt, your database will be corrupt.
Odds are also against you doing this on a production database because the DB
administrator would have put triggers on the system tables preventing any but
authorized users from modifying metadata.
So, overall, you have stumbled upon a neat way to destroy your data (I am sure
the nice folks at IBPhoenix would charge you a reasonable fee to try and fix
it) while not really showing a security hole (since the result of the
exercise will be a file that is even more corrupt than the database that was
damaged by the very action made to create the copy)
The security hole is a database that would allow a user to modify metadata
without authorization - bad database design and out of the realm of the
engine designers.
Best regards
Dalton
On Tuesday 11 June 2002 4:43 pm, toni_martir wrote:
> Jan Henrik Sylvester reported this on
> borland.public.interbase.general.
>
> Connect to a DB and create an external table with the same name as
> the GDB itself and one integer column:
>
> CREATE TABLE THE_GDB EXTERNAL
> FILE 'C:\Borland\InterBase\Examples\Database\Employee.gdb' (
> INT_VALUE INTEGER );
>
> Now write a program which selects from this table and writes the
> integer values to a file. You'll have a byte-for-byte copy of the
> GDB.
>
> One would think that the blind_meta.sql script should prevent users
> from creating tables, but even after running this script I can still
> create tables as a non-SYSDBA/owner IB user.
>
> This completely defeats the point of using OS security to protect the
> GDB file.
>
>
>
> Anyone tested it?
> Any workarounds?
>
> Thanks
>
>
>
> Community email addresses:
> Post message: IBDI@yahoogroups.com
> Subscribe: IBDI-subscribe@yahoogroups.com
> Unsubscribe: IBDI-unsubscribe@yahoogroups.com
> List owner: IBDI-owner@yahoogroups.com
>
> Shortcut URL to this page:
> http://www.yahoogroups.com/community/IBDI
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/