| Subject | Re: [firebird-support] External Tables |
|---|---|
| Author | Helen Borrie |
| Post date | 2018-03-12T19:19:32Z |
Saturday, March 10 alansbraga@... wrote:
vulnerability. If a non-privileged user is allowed to create and
manipulate the metadata of database objects, the vulnerabilty
escalates. Hence the restriction you are encountering when a
non-privileged user tries to create a table.
If you are using Firebird 3, you can grant permission to any ordinary
user (or a user with a specific role) to create tables. With that
privilege, that user can create and manipulate metadata for *any*
table. You would have to feel very sure that the appointed user, or
users with that role, would not mess with any other tables or abuse
the privilege in any way.
You can read about metadata privileges (sometimes nicknamed "DDL
privileges") here:
https://www.firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-access-sql.html#rnfb30-security-metadataprivs
You should restrict the location of external files as heavily as
possible, by setting the allowed location in firebird.conf, via the
ExternalFileAccess parameter with the RESTRICT argument. Don't forget
that you have to restart Firebird after changes to firebird.conf or
databases.conf.
Helen
> I'm trying to create an external table with a normal user and I'm getting this error:Access to the database via external tables is a potential
> This operation is not defined for system tables.
> unsuccessful metadata update.
> CREATE TABLE EXT_CTB_LANCAMENTO failed.
> There is no privilege for this operation.
> How do I grant permission to a regular user to create external
> tables? During my tests only sysdba could create them.
vulnerability. If a non-privileged user is allowed to create and
manipulate the metadata of database objects, the vulnerabilty
escalates. Hence the restriction you are encountering when a
non-privileged user tries to create a table.
If you are using Firebird 3, you can grant permission to any ordinary
user (or a user with a specific role) to create tables. With that
privilege, that user can create and manipulate metadata for *any*
table. You would have to feel very sure that the appointed user, or
users with that role, would not mess with any other tables or abuse
the privilege in any way.
You can read about metadata privileges (sometimes nicknamed "DDL
privileges") here:
https://www.firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-access-sql.html#rnfb30-security-metadataprivs
You should restrict the location of external files as heavily as
possible, by setting the allowed location in firebird.conf, via the
ExternalFileAccess parameter with the RESTRICT argument. Don't forget
that you have to restart Firebird after changes to firebird.conf or
databases.conf.
Helen