| Subject | RE: [firebird-support] Bingo! No real security there. |
|---|---|
| Author | Johan van Zyl |
| Post date | 2005-04-26T06:27:58Z |
My Point is:
I am a Clarion programmer and I spend more time in the Clarion NG's that in
the FB ones, at this point in time!
That is were we the Clarion programmers, amongst other things, discuss the
problems we are having with our databases.
The FireBird security issue has been reaised many times in the Clarion NG's.
I came to this forum, where the FIrebird experts hang out, to get some peace
of mind, and report back to the Clarion community.
Is that not OK then? Who shall we turn to - or just forget about FireBird?
Johan van Zyl
-----Original Message-----
From: firebird-support@yahoogroups.com
[mailto:firebird-support@yahoogroups.com]On Behalf Of Geoff Worboys
Sent: 25 April 2005 23:37
To: firebird-support@yahoogroups.com
Subject: Re: [firebird-support] Bingo! No real security there.
Johan,
What is your point? You did not have to go to the Clarion
newsgroup for this information.
Helen's book describes the problem clearly: "Any embedded
server library located on a machine that hosts databases is
a potential Trojan horse." And then goes on to explain a
few things, like...
The embedded server operates in the application users
context. To access the file the user running the Trojan horse
must have direct access to the file. If file permissions on
the database are in place to protect against untrusted users
then there is no problem. If the user is trusted (has direct
access to the file legimitately) then embedded makes little
difference. See:
http://www.firebirdsql.org/index.php?op=doc&sub=contrib&id=fb_meta_security
(Embedded gets only a minor mention in the article because it
is just another way to circumvent security once you have direct
access to a file.)
--
Geoff Worboys
Telesis Computing
Johan van Zyl wrote:
--
Yahoo! Groups Links
a.. To visit your group on the web, go to:
http://groups.yahoo.com/group/firebird-support/
b.. To unsubscribe from this group, send an email to:
firebird-support-unsubscribe@yahoogroups.com
c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
----------
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005
[Non-text portions of this message have been removed]
I am a Clarion programmer and I spend more time in the Clarion NG's that in
the FB ones, at this point in time!
That is were we the Clarion programmers, amongst other things, discuss the
problems we are having with our databases.
The FireBird security issue has been reaised many times in the Clarion NG's.
I came to this forum, where the FIrebird experts hang out, to get some peace
of mind, and report back to the Clarion community.
Is that not OK then? Who shall we turn to - or just forget about FireBird?
Johan van Zyl
-----Original Message-----
From: firebird-support@yahoogroups.com
[mailto:firebird-support@yahoogroups.com]On Behalf Of Geoff Worboys
Sent: 25 April 2005 23:37
To: firebird-support@yahoogroups.com
Subject: Re: [firebird-support] Bingo! No real security there.
Johan,
What is your point? You did not have to go to the Clarion
newsgroup for this information.
Helen's book describes the problem clearly: "Any embedded
server library located on a machine that hosts databases is
a potential Trojan horse." And then goes on to explain a
few things, like...
The embedded server operates in the application users
context. To access the file the user running the Trojan horse
must have direct access to the file. If file permissions on
the database are in place to protect against untrusted users
then there is no problem. If the user is trusted (has direct
access to the file legimitately) then embedded makes little
difference. See:
http://www.firebirdsql.org/index.php?op=doc&sub=contrib&id=fb_meta_security
(Embedded gets only a minor mention in the article because it
is just another way to circumvent security once you have direct
access to a file.)
--
Geoff Worboys
Telesis Computing
Johan van Zyl wrote:
>>From Clarion NewsGroupit
> if i recall, the whole premise behind the embeded (fbembed.dll) is that
> "trusts" the connection from the application and by-passes all security.and
> so basicaly , all one needs to do is install the embedded version of fb
> the free version of ibexpert and open the fdb file. the world is your----------------------------------------------------------------------------
> oyster...
> -pratik
> Bingo! No real security there.
> Andre
> ----------------------------
> Johan van Zyl
> JVZ Systems CC/realcorp.net
> Customised Software
> http://www.jvz.co.za
> johan@...
> 021 851 7205
> 082 875 4238
--
Yahoo! Groups Links
a.. To visit your group on the web, go to:
http://groups.yahoo.com/group/firebird-support/
b.. To unsubscribe from this group, send an email to:
firebird-support-unsubscribe@yahoogroups.com
c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
----------
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005
[Non-text portions of this message have been removed]