| Subject | Re: FB number of connections with Usernames.count |
|---|---|
| Author | tomsee7 |
| Post date | 2010-03-09T11:39:50Z |
This is my last post on this subject, and just for the record I have been using IB/FB for 14 years.
--- In firebird-support@yahoogroups.com, Helen Borrie:
The pink box you refer to: "A long-standing, legacy loophole in the handling of DPB parameters enabled ordinary users to make connection settings that could lead to database corruptions or give them access to SYSDBA-only operations.... Details are in Chapter 3, Changes to the Firebird API and ODS."
The actual details in chapter only speak of 'Several DPB parameters have been made inaccessible to ordinary users' and
*** then documents them ***
i.e. isc_dpb_shutdown ... to isc_dpb_set_page_buffers
Unless I am missing something which parameter relates to no longer being able to acertain user connections? Also, if it is present then an explicit statement somewhere would have been desirable/helpful.
Tom
--- In firebird-support@yahoogroups.com, Helen Borrie:
>> I'm not sure how being able to get a list of connected users constitutes a security issue.That doesn't answer the point made Helen.
> Well, even if you're not sure, at least someone is looking after it for you.
> And if they are *that* wise, they will make sure they read the release notes, at least that's what one hopes. Otherwise, why bother to publish them at all?There were indeed read, see underneath.
> From Firebird 2.1.2 onwards, it is right there in a pink box in Chapter 2, New Features. From Firebird 2.0.5 onwards, it is right there in Chapter 1, General Notes, headed Important Notice (and also documented in Chapter 3, the section that deals with the API changes...worth your attention if you are using Delphi components that were written for Firebird 1.5).Reviewing your previous paragraph I cannot, as before, see any reference to an closed ability to retrieve user connection counts/names.
The pink box you refer to: "A long-standing, legacy loophole in the handling of DPB parameters enabled ordinary users to make connection settings that could lead to database corruptions or give them access to SYSDBA-only operations.... Details are in Chapter 3, Changes to the Firebird API and ODS."
The actual details in chapter only speak of 'Several DPB parameters have been made inaccessible to ordinary users' and
*** then documents them ***
i.e. isc_dpb_shutdown ... to isc_dpb_set_page_buffers
Unless I am missing something which parameter relates to no longer being able to acertain user connections? Also, if it is present then an explicit statement somewhere would have been desirable/helpful.
> As moderator of this list, I ask that you please do not use the support list to conduct flame attacks against people who are trying to help you. If you don't understand something someone tells you, make a point to explain what you don't understand and ask politely for more information.By breaking applications and being told to 'write your own licencing server' is, I believe, an outrageous thing to say. It was not directed at the person but more at the statement and was in no way 'a flame attack' but rather a perfectly valid response.
Tom