Subject RE: [firebird-support] Securing access to stored procedures
Author Alan McDonald
> I'm considering bundling a Firebird database file and Firebird server
> installer with some vertical market software of ours that is not open
> source. I'm trying to strategize on some of the ways that we can
> release our database design, which includes a lot of stored procedures
> -
> some of which contain important business logic that we do not want 'in
> the open' or visible to our customers.

you can delete the trigger, procedure code after compiling BLR.

> Our goal is to include this content as a self-installer package that
> will automatically install on a client's server platform. Most of our
> clients are running Windows server platforms, so I'm ok with it working
> this way on Windows servers to begin with.
> The challenge for us is how to package a Firebird Server installation,
> our meta data, etc. and not disclose the sysdba password. I need to

I don't think you can realistically not reveal the SYSDBA password. What
happens when your client already has FB installed - you can't deny them
access to their own setup.
You can create another user which owns the DB and is used for updates to
metadata and then re-destroy the procedure code but all this is not at all
secure if that's what you are after.
Did you read that paper which is often cited here about security?
I thought you'd been around here long enough to see many discussions on this
and the topic you are talking about.

> have our client application pre-create user accounts for the server
> that
> allows Firebird to control access to tables, views, stored procedures,
> etc. Basically I would have user accounts created that would support
> our client application's need to execute stored procedures, read/write
> to tables, etc. A separate set of user accounts would be provided for
> the user's to access tables in read/only state for ODBC/user report
> generation, etc.
> But in no case do I want the user to be able see the stored procedures
> in the database.
> How can this be done? Are other ISVs or vertical market software
> developers able to bundle Firebird Server installations with this level
> of lockdown successfully?
> Myles