| Subject | Re: [firebird-support] Bingo! No real security there. |
|---|---|
| Author | Geoff Worboys |
| Post date | 2005-04-25T21:36:58Z |
Johan,
What is your point? You did not have to go to the Clarion
newsgroup for this information.
Helen's book describes the problem clearly: "Any embedded
server library located on a machine that hosts databases is
a potential Trojan horse." And then goes on to explain a
few things, like...
The embedded server operates in the application users
context. To access the file the user running the Trojan horse
must have direct access to the file. If file permissions on
the database are in place to protect against untrusted users
then there is no problem. If the user is trusted (has direct
access to the file legimitately) then embedded makes little
difference. See:
http://www.firebirdsql.org/index.php?op=doc&sub=contrib&id=fb_meta_security
(Embedded gets only a minor mention in the article because it
is just another way to circumvent security once you have direct
access to a file.)
--
Geoff Worboys
Telesis Computing
Johan van Zyl wrote:
What is your point? You did not have to go to the Clarion
newsgroup for this information.
Helen's book describes the problem clearly: "Any embedded
server library located on a machine that hosts databases is
a potential Trojan horse." And then goes on to explain a
few things, like...
The embedded server operates in the application users
context. To access the file the user running the Trojan horse
must have direct access to the file. If file permissions on
the database are in place to protect against untrusted users
then there is no problem. If the user is trusted (has direct
access to the file legimitately) then embedded makes little
difference. See:
http://www.firebirdsql.org/index.php?op=doc&sub=contrib&id=fb_meta_security
(Embedded gets only a minor mention in the article because it
is just another way to circumvent security once you have direct
access to a file.)
--
Geoff Worboys
Telesis Computing
Johan van Zyl wrote:
>>From Clarion NewsGroup
> if i recall, the whole premise behind the embeded (fbembed.dll) is that it
> "trusts" the connection from the application and by-passes all security.
> so basicaly , all one needs to do is install the embedded version of fb and
> the free version of ibexpert and open the fdb file. the world is your
> oyster...
> -pratik
> Bingo! No real security there.
> Andre
> ----------------------------
> Johan van Zyl
> JVZ Systems CC/realcorp.net
> Customised Software
> http://www.jvz.co.za
> johan@...
> 021 851 7205
> 082 875 4238