Subject Re: [ib-support] Firebird and Linux/Unix
Author Paul Schmidt
On 28 Jun 2002 at 13:51, William L. Thomson Jr. wrote:

> Just a thought for others to comment on. Shouldn't each service under
> a Posix compliant OS run under restricted users and groups not
> root/su.

Yes, that's why there is a change user script in the Firebird directory....

> So if possible can it be added to the Firebird installer that a user
> and group be created that Firebird will run under.

I don't agree with this idea, for a couple of reasons, one is that if every app that
could run as root or as it's own user created it's own user and group you could end
up with hundreds or thousands of users just for maintenance. For example if you
have Firebird, PostgreSQL, mySQL, Sybase and Oracle installed you could end up
with 5 separate users just for databases. Some people might want to run them all
under one user id. Second it could create it's own security problems, some people
might think that Firebird is just too obvious for security reasons.

> I have had my installation of InterBase and InterClient running this
> way for a while without any problems. Which should also help in case
> someone was able to get control of those accounts or services the
> damage would be limited to the user and the group the services belong
> to.

This can be made very difficult if you disable the password to that account, by
replacing the password field in the /etc/passwd file with a *. You need to make sure
that shadow passwords are turned off before you do this, (you can convert from
shadow to non-shadow fix the password and the convert back). The only way to
access it then is by logging in as root, and using the su command.

> So if an exploit or vulnerability arises it would not be a root
> exploit. So in my situation I have a user and group that IB runs
> under. I have a separate user and group that InterClient runs under.
> InterClient's group also includes the group that IB belongs to. Both
> IB and InterClient's group are also members of the root group,
> although I am not to sure that was necessary.

They don't need to be members of the root group.

> Or am I doing all of this for nothing?

Security can be a real PITA, but it beats getting hacked.
Paul Schmidt, President
Tricat Technologies