| Subject | Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users |
|---|---|
| Author | Zd |
| Post date | 2008-11-10T15:44:53Z |
OK, so I got the solution I think.
Please take a look as I don't want to overlook anything and open any security holes:
Database has two users:
SYSDBA, and SECUSER
SYSDBA's password is stored in a table called "CODETABLE".
The following grants are executed using SYSDBA:
GRANT EXECUTE ON PROCEDURE GET_DB_PASSWORD TO SECUSER;
GRANT SELECT ON CodeTable TO PROCEDURE GET_DB_PASSWORD;
GRANT SELECT ON Users TO PROCEDURE GET_DB_PASSWORD;
As you see, SECUSER has access only to GET_DB_PASSWORD, and only the stored procedure has access to the SYSDBA password in CODETABLE!
The stored procedure's code is the following:
CREATE PROCEDURE GET_DB_PASSWORD(
USERNAME VARCHAR(100) CHARACTER SET UTF8,
"PASSWORD" VARCHAR(100) CHARACTER SET UTF8)
RETURNS(
DB_PASSWORD VARCHAR(8) CHARACTER SET UTF8,
ISSUCCESSFUL SMALLINT)
AS
BEGIN
IsSuccessful = 0;
SELECT (SELECT CodeValue FROM CodeTable WHERE
CodeName = 'DatabasePassword')
FROM Users
WHERE
Username = :Username AND
Passwd = :"PASSWORD"
INTO :DB_Password;
IF (ROW_COUNT = 1) THEN
IsSuccessful = 1;
SUSPEND;
END;
So what do you think? I tried and it works, but any ideas whether this is a SECURE solution too?
-Zd
Please take a look as I don't want to overlook anything and open any security holes:
Database has two users:
SYSDBA, and SECUSER
SYSDBA's password is stored in a table called "CODETABLE".
The following grants are executed using SYSDBA:
GRANT EXECUTE ON PROCEDURE GET_DB_PASSWORD TO SECUSER;
GRANT SELECT ON CodeTable TO PROCEDURE GET_DB_PASSWORD;
GRANT SELECT ON Users TO PROCEDURE GET_DB_PASSWORD;
As you see, SECUSER has access only to GET_DB_PASSWORD, and only the stored procedure has access to the SYSDBA password in CODETABLE!
The stored procedure's code is the following:
CREATE PROCEDURE GET_DB_PASSWORD(
USERNAME VARCHAR(100) CHARACTER SET UTF8,
"PASSWORD" VARCHAR(100) CHARACTER SET UTF8)
RETURNS(
DB_PASSWORD VARCHAR(8) CHARACTER SET UTF8,
ISSUCCESSFUL SMALLINT)
AS
BEGIN
IsSuccessful = 0;
SELECT (SELECT CodeValue FROM CodeTable WHERE
CodeName = 'DatabasePassword')
FROM Users
WHERE
Username = :Username AND
Passwd = :"PASSWORD"
INTO :DB_Password;
IF (ROW_COUNT = 1) THEN
IsSuccessful = 1;
SUSPEND;
END;
So what do you think? I tried and it works, but any ideas whether this is a SECURE solution too?
-Zd
----- Original Message -----
From: Anderson Farias
To: firebird-support@yahoogroups.com
Sent: Monday, November 10, 2008 11:45 AM
Subject: Re: [firebird-support] Avoiding hard-coding db pass in app - without using db users
Hi,
Apart from a 3-tier arch. or something like what Kjell pointed out, the only (and easy) way I can see is creating a FB user for each real user (if you know who the users are) -- so, each user can connect with a real fb user/pass and you don't have to hard code it.
Regards,
Anderson Farias
[Non-text portions of this message have been removed]
[Non-text portions of this message have been removed]