|Subject||RE: [firebird-support] Embedded server/database security|
> >At 01:36 PM 28/01/2005 +1100, Alan McDonald wrote:
> > Is it true that the database (.FDB) file I ship with my FB embedded
> > server application has no security whatsoever? That anyone with a
> > tool like Database Workbench can simply attach to it and make changes?
>that's correct, and they can also decompile your executable.Well, it's only correct if the tool is located in the application
directory. It's not true if the database is installed on a machine that is
running the Firebird "full" server and Database Workbench (or some other
tool) is installed out of reach of the embedded server library. The full
server always requires a user name and password.
It's also not true that the FDB that you ship has "no security whatsoever",
unless you ship your FDB with no SQL privileges defined. Define privileges
for a specific user name and/or role -- that is a variable in the
application -- and pass this as part of the connection string. You can
have the user "log in" using this username as her "password" and block any
other username, including sysdba, from getting past your login
prompt. Then, at least as far as the application is concerned, you lock
out rogue users.
(But it won't stop anyone who installs DB Wb or isql or whatever into the
app directory, since they can use sysdba in their login and get access to
everything. So write it into the contract that you won't take
responsibility for security breaches resulting from user misbehaviour or
sloppy site security).