| Subject | AW: [firebird-support] Securing access to stored procedures |
|---|---|
| Author | Steffen Heil |
| Post date | 2009-11-12T19:02:15Z |
The security of your stored procedures relies on blocking physical access to the database file.
(For example: You can always open the database file with embedded engine and thereby bypass all security constraints.)
There is a current thread discussing this in detail: Firebird - no security??? Seems unbelievable....
Please use the archive and discuss there.
Best regards,
Steffen
-----Ursprüngliche Nachricht-----
Von: firebird-support@yahoogroups.com [mailto:firebird-support@yahoogroups.com] Im Auftrag von Myles Wakeham
Gesendet: Donnerstag, 12. November 2009 19:00
An: firebird-support@yahoogroups.com
Betreff: [firebird-support] Securing access to stored procedures
I'm considering bundling a Firebird database file and Firebird server
installer with some vertical market software of ours that is not open
source. I'm trying to strategize on some of the ways that we can
release our database design, which includes a lot of stored procedures -
some of which contain important business logic that we do not want 'in
the open' or visible to our customers.
Our goal is to include this content as a self-installer package that
will automatically install on a client's server platform. Most of our
clients are running Windows server platforms, so I'm ok with it working
this way on Windows servers to begin with.
The challenge for us is how to package a Firebird Server installation,
our meta data, etc. and not disclose the sysdba password. I need to
have our client application pre-create user accounts for the server that
allows Firebird to control access to tables, views, stored procedures,
etc. Basically I would have user accounts created that would support
our client application's need to execute stored procedures, read/write
to tables, etc. A separate set of user accounts would be provided for
the user's to access tables in read/only state for ODBC/user report
generation, etc.
But in no case do I want the user to be able see the stored procedures
in the database.
How can this be done? Are other ISVs or vertical market software
developers able to bundle Firebird Server installations with this level
of lockdown successfully?
Myles
--
=======================
Myles Wakeham
Director of Engineering
Tech Solutions USA, Inc.
Scottsdale, Arizona USA
http://www.techsolusa.com
Phone +1-480-451-7440
------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Visit http://www.firebirdsql.org and click the Resources item
on the main (top) menu. Try Knowledgebase and FAQ links !
Also search the knowledgebases at http://www.ibphoenix.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Yahoo! Groups Links
[Non-text portions of this message have been removed]
(For example: You can always open the database file with embedded engine and thereby bypass all security constraints.)
There is a current thread discussing this in detail: Firebird - no security??? Seems unbelievable....
Please use the archive and discuss there.
Best regards,
Steffen
-----Ursprüngliche Nachricht-----
Von: firebird-support@yahoogroups.com [mailto:firebird-support@yahoogroups.com] Im Auftrag von Myles Wakeham
Gesendet: Donnerstag, 12. November 2009 19:00
An: firebird-support@yahoogroups.com
Betreff: [firebird-support] Securing access to stored procedures
I'm considering bundling a Firebird database file and Firebird server
installer with some vertical market software of ours that is not open
source. I'm trying to strategize on some of the ways that we can
release our database design, which includes a lot of stored procedures -
some of which contain important business logic that we do not want 'in
the open' or visible to our customers.
Our goal is to include this content as a self-installer package that
will automatically install on a client's server platform. Most of our
clients are running Windows server platforms, so I'm ok with it working
this way on Windows servers to begin with.
The challenge for us is how to package a Firebird Server installation,
our meta data, etc. and not disclose the sysdba password. I need to
have our client application pre-create user accounts for the server that
allows Firebird to control access to tables, views, stored procedures,
etc. Basically I would have user accounts created that would support
our client application's need to execute stored procedures, read/write
to tables, etc. A separate set of user accounts would be provided for
the user's to access tables in read/only state for ODBC/user report
generation, etc.
But in no case do I want the user to be able see the stored procedures
in the database.
How can this be done? Are other ISVs or vertical market software
developers able to bundle Firebird Server installations with this level
of lockdown successfully?
Myles
--
=======================
Myles Wakeham
Director of Engineering
Tech Solutions USA, Inc.
Scottsdale, Arizona USA
http://www.techsolusa.com
Phone +1-480-451-7440
------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Visit http://www.firebirdsql.org and click the Resources item
on the main (top) menu. Try Knowledgebase and FAQ links !
Also search the knowledgebases at http://www.ibphoenix.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Yahoo! Groups Links
[Non-text portions of this message have been removed]