| Subject | Re: security problem with user permission! |
|---|---|
| Author | Adam |
| Post date | 2006-02-20T22:33:22Z |
I would recommend against Milan's suggestion here unless you know what
you are doing. Certainly forget using it at your first look into
Firebird ;)
Boguslaw, look at the 2006 roadmap on the firebirdsql.org website :
"User permissions for metadata"
Protect all metadata with security classes. Implement metadata-level
permissions. Add database-level permissions like BACKUP, DROP, etc.
(Listed as high)
I think Set's solution is quite good. A user can not add objects if
they do not know their real password. Use a simple hashing function
like SHA-1, even MD5 is fine. Also, avoid allowing the user to execute
arbitrary SQL. Apart from the security implications, there are some
serious performance consideratons.
Adam
you are doing. Certainly forget using it at your first look into
Firebird ;)
Boguslaw, look at the 2006 roadmap on the firebirdsql.org website :
"User permissions for metadata"
Protect all metadata with security classes. Implement metadata-level
permissions. Add database-level permissions like BACKUP, DROP, etc.
(Listed as high)
I think Set's solution is quite good. A user can not add objects if
they do not know their real password. Use a simple hashing function
like SHA-1, even MD5 is fine. Also, avoid allowing the user to execute
arbitrary SQL. Apart from the security implications, there are some
serious performance consideratons.
Adam