| Subject | Re: [firebird-support] Need security advice from the pros |
|---|---|
| Author | Marcin Bury |
| Post date | 2008-08-29T17:28:37Z |
Zd
I would go for idea no 3 with little modifications:
create role in your db, grant all rights to this role, create users and then
grant role to these users. Encode this role in your application and use it
while connecting to db. A user will not have any knowledge about the role,
so when even he connects to the db with other app, he will have no rights to
db's objects. If you want to 'complicate' it more - let db user use some
string prefix or suffix i.e when you have 'user1' in your user table - let
db user be 'user1_b2$', after connecting to db
strip the suffix (_b2$)
My 0.02$
Marcin
I would go for idea no 3 with little modifications:
create role in your db, grant all rights to this role, create users and then
grant role to these users. Encode this role in your application and use it
while connecting to db. A user will not have any knowledge about the role,
so when even he connects to the db with other app, he will have no rights to
db's objects. If you want to 'complicate' it more - let db user use some
string prefix or suffix i.e when you have 'user1' in your user table - let
db user be 'user1_b2$', after connecting to db
strip the suffix (_b2$)
My 0.02$
Marcin
----- Original Message -----
From: "Zd" <toldy007@...>
To: <firebird-support@yahoogroups.com>
Sent: Friday, August 29, 2008 2:24 PM
Subject: [firebird-support] Need security advice from the pros
> Dear Group,
>
> Please help me with the following security considerations:
>
> My program connects to an FB2.1 DB running on XP. Many different users are
> going to use my client program to connect to the database.
>
> Unfortunately, my program doesn't use "users" in the FB DB, instead it
> uses the SYSDBA password to connect to the database. Each user has a
> login/pass pair stored in the database in a table that is used for
> authentication inside my program.
>
> Here are my problems:
> 1, I can't redesign the program since it has a sofisticated built-in
> rights management mechanism, so I have to stay with the solution outlined
> above.
> 2, Clients will be connecting through LAN and through the Internet - so
> the database will be exposed on the Internet.
> 3, The program will be running at different companies.
>
> I came up with the following ideas:
> 1, Storing the SYSDBA pass encoded in the app's code. -> The problem: a
> good hacker could reverse engineer the code and get access to any of
> companies' databases running my program!
> 2, Storing the SYSDBA pass in a separate file, using a different passfile
> for each company -> The problem: a good hacker could get and reverse
> engineer the code from the file and hack the company's database
> 3, Creating a separate DB user for each user of my program's users with
> SYSDBA rights. Username / password would match their logins from the
> program. -> The problem: the users could use a simple DB manager to
> connect to the database and have access to all the data.
> 4, The SYSDBA password is changed every night automatically. Before the
> client authenticates, it gets the actual password using an SSL connection
> (by giving their username / password). The encoded password is sent over
> the network. -> The problem: a good hacker could get the password sent
> over the Internet. One day should be more than enough to get the contents
> of the entire database!
>
> Any other options that I have available? From the above, option 4 seems to
> be the most secure for more, but any ideas are welcome!
>
> Thank you:
> Zd
>
> [Non-text portions of this message have been removed]
>
>
> ------------------------------------
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Visit http://www.firebirdsql.org and click the Resources item
> on the main (top) menu. Try Knowledgebase and FAQ links !
>
> Also search the knowledgebases at http://www.ibphoenix.com
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Yahoo! Groups Links
>
>
>