Subject Re: Embedded Firebird Security - Basic Questions
Author Adam
--- In, Paul Vinkenoog <paul@...> wrote:
> Hi Pri,
> > 1. I am new to firebird, and want to use firebird embedded. So, my
> > application is easier to deploy. What i need is just few firebird
> > dll (fbembed, etc).
> >
> > -> Am i correct?
> Yes, look in the Release Notes for the exact details.
> > 2. How about the security in embedded firebird? Anyone can copy the
> > file (if they have filesystem access) and open it using various
> > tools.
> Yes, but please understand that this is the case with ALL Firebird
> databases. There's no such thing as a "Firebird Embedded" database as
> opposed to other Firebird databases.
> The difference with Embedded is that the server security check is
> bypassed. Anyone can connect as any user, with any password, but they
> MUST have filesystem access to the database file.
> With regular Firebird servers, the users don't need (and indeed should
> not have) filesystem access to the database file.
> > Any idea to protect data in the database itself? No matter people
> > can copy the database, if they cannot open it.
> Firebird has no data ecryption features. If you want to protect your
> data in case someone gets hold of the database, encrypt sensitive data
> before you feed them to the database.
> Greetings,
> Paul Vinkenoog

Hi Pri,

If you grant someone file system access to either a firebird database
file or a firebird backup, then they can make themselves a SYSDBA.
Read Geoff Worboys paper which addresses this and several other issues.

If your security requirement means that "No matter people
can copy the database, if they cannot open it", then embedded is not a
good choice. A terminal services delivery model is a good way to get
the ease of deployment with the security of no filesystem access to
the database by untrusted users.