On 27-7-2011 14:50, Alex Peshkoff wrote: > On 07/27/11 16:42, ik wrote: >> On Wed, Jul 27, 2011 at 15:35, Tony Whyman >> <[email protected]>wrote: >> >>> This is really a general UDF problem and another reason why you need to >>> be very careful about deploying them. The only difference between an >>> embedded function and UDF one is that theoretically a System Admin >>> should check the UDF before installing it.... >>> >>> Otherwise, it has the same potential to damage. >>> >> If you have a programming language compiler or interpretor at hand, the last >> security hole will be the UDF because I can do what ever I want with a >> programming language :) >> > > Yes - and this is the main security problem when trying to use generic > languages instead PL/SQL. Of course, if you can live with recompiling platform dependent code, you can only supply the runtime functionality for production Firebird servers, and provide a "development version" of Firebird with the FPC compiler, JDK, whatever..
This at least allows server admins to sleep easier knowing that there's no compiler on their machines... > >> If people have access to firebird and load malicious shard library, then it >> does not matter anymore, because firebird does not contain a specific shared >> library structure, but use the OS to load it and execute the code. >> >> Firebird should create a lot of mechanises to protect of loading UDF, but >> once you passed them, there is not much that can be done imho. >> > Since FB 1.5 that mechanism exists - by default one can execute UDFs > only from $FbRoot/UDF directory, and noone except root can add files to it. > Certainly, it can be broken with invalid access rights in filesystem or > bad firebird.conf (like almost everyone security system). Agreed. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
