| Subject | RE: [firebird-support] UdfAccess Question |
|---|---|
| Author | Alan McDonald |
| Post date | 2005-02-09T10:48:43Z |
> Alan McDonald wrote:this is a clip from the release notes
>
> > UDFAccess = Restrict UDF
> > (this may work... not tried UdfAccess = Restrict UDF)
> >
> > Something is wrong here don't you think? - It's certainly not
> as documented.
>
> Well
> #UdfAccess = Restrict UDF
> Is what is supplied as a sample default. It's commented out, and all you
> have to do (according to the notes) is remove the '#'
> So what is wrong?
>
> --
> Lester Caine
CAUTION :: Avoid setting up custom directory trees for UdfAccess and
ExternalFileAccess such that
they share a parent tree-root. The default settings are safe. If you are
setting up your own and you
don't make separated directory trees for them, the server can be easily
hacked to execute
unauthorised code. An example of what to avoid:
UdfAccess = UDF; /bad_dir
ExternalFileAccess = /external; /bad_dir/files
as you can see,... the second last line above is not valid. It should read
UdfAccess = Restrict UDF; /bad_dir
(this has nothing to do with it being a bad idea, it's just that the format
is wrong).
Now as for the .conf file..
# ----------------------------
# External Function (UDF) Paths/Directories
#
# UdfAccess may be None, Full or Restrict. If you choose
# Restrict, provide ';'-separated trees list, where UDF libraries
# are stored. Relative paths are treated relative to RootDirectory entry
# (see above). Default value 'Restrict UDF' provides the same restrictions
# as in FB 1.0. To specify access to specific trees, enum all required
# paths (for Win32 this may be something like 'C:\ExternalFunctions',
# for unix - '/db/extern;/mnt/extern').
#
# NOTE: THE EXTERNAL FUNCTION ENGINE FEATURE COULD BE USED TO COMPROMISE
# THE SERVER/HOST AS WELL AS DATABASE SECURITY!!
#
# IT IS STRONGLY RECOMMENDED THAT THIS SETTING BE USED TO LIMIT
# EXTERNAL FUNCTION LOCATIONS! SPECIALLY AVOID HAVING
# COMMON SUBTREES IN UdfAccess & ExternalFileAccess !
#
# Type: string (special format)
#
#UdfAccess = Restrict UDF
Install FB from the install script and the permissions of the UDF dir is NOT
firebird... it's root/root which is how you are recommended to be to runt
the install script.
Thus started my several hours long dicovery pattern into the above seting.
1. Full does not work
2. I was reading the value as being Full None or Restrict... then reading
the default value "Restrict UDF" I was thinking of this as yet another
value - not understanding that it was a value and a directory.
It's getting late and the fog is rolling in.....
Alan