| Subject | Firebird security |
|---|---|
| Author | christophermarkstrauss |
| Post date | 2005-03-25T12:34:02Z |
Hi All
I have reviewed the current enhancement/feature requests
1169129 relating to "SYSDBA password in both security and database"
954769 relating to "Stand-alone databases"
I share the concern about security with the numerous requests and
discussions that happened on the Firebird Forum etc. and would like
to propose the following
1. Leave the SYSDBA user ID and password as masterkey but limit
the functionality of the SYSDBA user ID to system functionality such
as backing up, restoring, and assigning user rights to only the DBDBA
user ID. Do not allow the SYSDBA user ID to be used for accessing
any particular databases Metadata or User data
2. Create a new DBDBA user ID and password that is specific to a
particular database and which must be assigned/created at the time of
creating a database using the SYSDBA user ID and password
3. The new DBDBA user ID must have the following functionality.
· It must be used to access a particular databases Metadata and
user data.
· It should be able to assign rights to users specifically only
for the particular database for which it was created.
· It should be able to be used to backup and restore the
particular database for which it was created
· It should be embedded in the database.
· It should be either encrypted or hidden in the database so as
to defeat access via an editor functions.
The above will have the benefit that a database can be secured,
transported and recovered using the site SYSDBA password however the
access to the data, both metadata and user data will only be
available to the DBDBA user ID and User ID's created by the DBDBA
User Id. Therefore as the Use of Firebird grows individual suppliers
of software using this mechanism will be able create their own user
id's without affecting any other software that may already be running
on a clients machine
I have reviewed the current enhancement/feature requests
1169129 relating to "SYSDBA password in both security and database"
954769 relating to "Stand-alone databases"
I share the concern about security with the numerous requests and
discussions that happened on the Firebird Forum etc. and would like
to propose the following
1. Leave the SYSDBA user ID and password as masterkey but limit
the functionality of the SYSDBA user ID to system functionality such
as backing up, restoring, and assigning user rights to only the DBDBA
user ID. Do not allow the SYSDBA user ID to be used for accessing
any particular databases Metadata or User data
2. Create a new DBDBA user ID and password that is specific to a
particular database and which must be assigned/created at the time of
creating a database using the SYSDBA user ID and password
3. The new DBDBA user ID must have the following functionality.
· It must be used to access a particular databases Metadata and
user data.
· It should be able to assign rights to users specifically only
for the particular database for which it was created.
· It should be able to be used to backup and restore the
particular database for which it was created
· It should be embedded in the database.
· It should be either encrypted or hidden in the database so as
to defeat access via an editor functions.
The above will have the benefit that a database can be secured,
transported and recovered using the site SYSDBA password however the
access to the data, both metadata and user data will only be
available to the DBDBA user ID and User ID's created by the DBDBA
User Id. Therefore as the Use of Firebird grows individual suppliers
of software using this mechanism will be able create their own user
id's without affecting any other software that may already be running
on a clients machine