Subject RE: [firebird-support] Embedded server/database security
Author Alan McDonald
> Well, it's only correct if the tool is located in the application
> directory.

the tool doesn't have to be in the application directory. I use IBExpert
with the embedded server as the client library. I can therefore connect to
any database sitting anywhere locally without a local server running) AND
remotely to a server.

> It's not true if the database is installed on a
> machine that is
> running the Firebird "full" server

but Peter is referring to an embedded server app with an adjacent database.

> and Database Workbench (or some other
> tool) is installed out of reach of the embedded server library. The full
> server always requires a user name and password.
> It's also not true that the FDB that you ship has "no security
> whatsoever",

in the context of the database file floating around for any tom, dick or
harry to poke around inside it with any tool they fancy, I'm afraid "no
secuity whatsoever" is a more accurate description of reality.
If someone were wanting to look into the file, they wouldn't be thwarted by
a failed login via your application.

> unless you ship your FDB with no SQL privileges defined. Define
> privileges
> for a specific user name and/or role -- that is a variable in the
> application -- and pass this as part of the connection string. You can
> have the user "log in" using this username as her "password" and
> block any
> other username, including sysdba, from getting past your login
> prompt. Then, at least as far as the application is concerned, you lock
> out rogue users.
> (But it won't stop anyone who installs DB Wb or isql or whatever into the
> app directory, since they can use sysdba in their login and get access to
> everything. So write it into the contract that you won't take
> responsibility for security breaches resulting from user misbehaviour or
> sloppy site security).
> ./heLen

I don't know what you mean about it having to be installed in the
application directory. I have no such impediment to using the embedded
server on any file on my disk.