Subject Re: [ib-support] Firebird and Linux/Unix
Author William L. Thomson Jr.
On Tue, 2002-07-02 at 05:31, Paul Schmidt wrote:
> On 28 Jun 2002 at 13:51, William L. Thomson Jr. wrote:
> > Just a thought for others to comment on. Shouldn't each service under
> > a Posix compliant OS run under restricted users and groups not
> > root/su.
> Yes, that's why there is a change user script in the Firebird directory....
Sorry, should have seen and used that.

> > So if possible can it be added to the Firebird installer that a user
> > and group be created that Firebird will run under.
> I don't agree with this idea, for a couple of reasons, one is that if every app that
> could run as root or as it's own user created it's own user and group you could end
> up with hundreds or thousands of users just for maintenance. For example if you
> have Firebird, PostgreSQL, mySQL, Sybase and Oracle installed you could end up
> with 5 separate users just for databases.
Well your point is something I would assume more to disagree with, or at
least I do. I would not think it good practice to run more than one type
of db on a machine. If you are concerned with the absolute performance
of the db. I would assume those who have critical information would run
a dedicated db server/cluster. Further more in the case that someone
does then each db should definitely be running under different users.

> Some people might want to run them all
> under one user id.
If they all ran under one, then the possibility could exist for one to
effect another. Also if one db becomes exploitable they now have control
of a user/group that could effect other db's that are not exploitable in
the same manor. Thus making the all db's as a whole that much more
insecure. Also if someone is using different db's then another reason to
use different users would be for control of machine/proc/mem/disc usage.
You would not want all to run free willy.

> Second it could create it's own security problems, some people
> might think that Firebird is just too obvious for security reasons.
Once again if the machine is not exploitable then how is this a concern.
A ton of standard apps come with and run under standard users/groups. So
what makes Firebird so different?

If security was that much of a concern, then the sys admin would be
changing the name regardless. Using the script you mentioned earlier.

> > I have had my installation of InterBase and InterClient running this
> > way for a while without any problems. Which should also help in case
> > someone was able to get control of those accounts or services the
> > damage would be limited to the user and the group the services belong
> > to.
> This can be made very difficult if you disable the password to that account, by
> replacing the password field in the /etc/passwd file with a *. You need to make sure
> that shadow passwords are turned off before you do this, (you can convert from
> shadow to non-shadow fix the password and the convert back). The only way to
> access it then is by logging in as root, and using the su command.
So I would suggest in addition to to the install script creating a user
and group, it would also deal with the password issue. I believe there
is a way to create a user without a password from the start. No?

> > So if an exploit or vulnerability arises it would not be a root
> > exploit. So in my situation I have a user and group that IB runs
> > under. I have a separate user and group that InterClient runs under.
> > InterClient's group also includes the group that IB belongs to. Both
> > IB and InterClient's group are also members of the root group,
> > although I am not to sure that was necessary.
> They don't need to be members of the root group.
My experimentation with Firebird did confirm this, so I can further
limit the damage by it's group not also being a member of the root

> > Or am I doing all of this for nothing?
> Security can be a real PITA, but it beats getting hacked.
Yes, what I am really focusing on is the out of box security of
Firebird. I believe too much software being released is assuming a
proper security measure will be taken after the fact. Instead of
insuring at least a initial level of security to begin with. As not
everyone is using or aware of the latest and greatest security measures
and techniques.

So we need to do our part to ensure a initial level of security, that a
savvy admin could and would expand upon. Giving the average Joe Shmoe at
least some level of initial security.

What I am suggesting is no different than what has been done with a
variety of other popular open source software. With Firebird already
being so great, this would just be one more base that it is coved on.

As security should be at the absolute top of everyones list regardless
of what you are doing, unless you are running a honey pot.

William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax 707.766.8989