Subject Re: aliases.conf API?
Author mspencewasunavailable
--- In, "alexpeshkoff"
<alexpeshkoff@...> wrote:
> > ExternalFileAccess = Restrict C:\Program
> Files\Firebird\Firebird_2_0
> This is very-very BAD idea from security POV.
> Take a look at firebird.conf, before doing it, and you will see
> recomendation to never let sub-trees, enabled for external files
> UDFS, overlap. When they do (like in this sample provided
> was not modified), one can create external table C:\Program
> Files\Firebird\Firebird_2_0\UDF\hack.dll, write arbitrary commands
> in it and afterwards execute with system privileges, loading as
> in firebird. This very old security vulnerability was fixed in
> by adding separate access control to UDFs, external files and
> databases, but it will not work if you tune your firebird.conf in
> this way.
> Moreover, one can overwrite everything in firebird install
> directory, including firebird.conf and even some binaries. Do not
> use such tricks, please, to access that aliases list.

D'OH! A part of the message that you didn't quote:

"and also help you understand why the ExternalFileAccess directive is
a really good idea"

was meant to render the whole post ironic (which would have come
across clearly if I had spoken the words out loud) but I see that in
spite of the opening and closing lines, the messsage was ambiguous
after all.

So just to be clear: Don't try this at home, kids. The point of
ExternalFileAccess et. al. is so that you can keep people from doing
any of this sort of stuff in the first place.

And I'll try to refrain from posting replies on late Friday

Michael D. Spence
Mockingbird Data Systems, Inc.