--- In firebird-support@yahoogroups.com, "rajsubramani"
<rajsubramani@y...> wrote:

>
> I have read the recent posts on Firebird security. I am refering,
> here, mainly to the client server mode of firebird and I feel that
> security can basically be circumvented. I hope you will tell me that I
> am wrong (and with some luck, why so).
>
> Suppose I wish to deploy an enterprise archive with JBoss which
> connects to a Firebird datasource. I supply a gdb file with my dist
> (ear file) which contains my tables and more importantly some
> important trigger checks.
>
> I supply this DB with a user role with limited privileges so the user
> cannot modify (or drop) this trigger.
>
> Now I expect the user to download FB from the FB web site and install
> it .
>
> Hey presto, the third party can now set SYSDBA and password to his
> choice, connect to my DB, drop the triggers or whatever.
>
> Most other DB's I work with have a concept of DB owner which goes with
> the DB file(s). By delegating user password security to security.fdb
> hasn't this been circumvented?
>
> I look forward to someone pointing out that I have got the wrong end
> of the stick and I shall go away and live happily ever after ... or
> will I?
>
> Cheers
> -raj

You should never allow the clients to connect to the server via file
connection.

Lets just say you have a server called "server" (pretty creative I
know). The database can be located in c:\database\db.fdb for this example.

On "server" in aliases.conf, set MyDB=c:\database\db.fdb

Now from the clients, you can just set the connection string to
"server:MyDB". You can even install a Firewall between the server and
client machines and just have port 3050 open.

That way, there is no way for the user to get their hands on db.fdb,
and so no way to bypass security. The other nice thing about this is
that you can quite easily make your application work over the
internet, as long as the firewalls allow access to that port it will work.

Hope that helps

Adam