| Subject | RE: [firebird-support] Securing access to stored procedures |
|---|---|
| Author | Alan McDonald |
| Post date | 2009-11-12T22:52:27Z |
> I'm considering bundling a Firebird database file and Firebird serveryou can delete the trigger, procedure code after compiling BLR.
> installer with some vertical market software of ours that is not open
> source. I'm trying to strategize on some of the ways that we can
> release our database design, which includes a lot of stored procedures
> -
> some of which contain important business logic that we do not want 'in
> the open' or visible to our customers.
>I don't think you can realistically not reveal the SYSDBA password. What
> Our goal is to include this content as a self-installer package that
> will automatically install on a client's server platform. Most of our
> clients are running Windows server platforms, so I'm ok with it working
> this way on Windows servers to begin with.
>
> The challenge for us is how to package a Firebird Server installation,
> our meta data, etc. and not disclose the sysdba password. I need to
happens when your client already has FB installed - you can't deny them
access to their own setup.
You can create another user which owns the DB and is used for updates to
metadata and then re-destroy the procedure code but all this is not at all
secure if that's what you are after.
Did you read that paper which is often cited here about security?
http://www.firebirdsql.org/manual/fbmetasecur.html
I thought you'd been around here long enough to see many discussions on this
and the topic you are talking about.
Alan
> have our client application pre-create user accounts for the server
> that
> allows Firebird to control access to tables, views, stored procedures,
> etc. Basically I would have user accounts created that would support
> our client application's need to execute stored procedures, read/write
> to tables, etc. A separate set of user accounts would be provided for
> the user's to access tables in read/only state for ODBC/user report
> generation, etc.
>
> But in no case do I want the user to be able see the stored procedures
> in the database.
>
> How can this be done? Are other ISVs or vertical market software
> developers able to bundle Firebird Server installations with this level
> of lockdown successfully?
>
> Myles