As far as I know IB is NOT secure for this type of access... For Interbase to be secure it must be kept on a secure file system and users who shouldn't have access to the database should not have access to the database file... End of storey... (well not quite)
Apparently (never tried it just read about it (and it is all from memory!)), all you need to do to get around the Interbase security is copy the database file onto another PC with a different security database (isc4.gdb from memory)... And hey presto, you now have access to the database using the credentials in the new isc4.gdb database... I guess if a user had access to the isc4.gdb they could also overwrite it with a new one... For us here, this is fine as no user (other than the administrators) have access to the security or data database, they are locked up with NTFS security. I believe the firebird project are looking to update the security in the future... I shall see if I can find an article on IB security... Yip, here are a couple: http://www.ibphoenix.com/art_fb_security.html http://www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm Regards Colin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil Scadden Sent: Monday, 19 November 2001 9:39 a.m. To: Multiple recipients of list database Subject: [DUG-DB]: Interbase security. I am create some fairly valuable data inside an Interbase database at moment. The application installs and creates the database, and sets up a working account with a password based on a hash of machine characteristics. The machine characteristics used are encrypted with Blowfish and stored in an ascii file so can recover password if machine characteristics change. The database is used in Local server mode only, no network access. Now what I am wanting to guard against is someone lifting the GDB file off disk and taking it away to pull the data off it. I realise that no data is likely to resist a really determined attack but I do want it so someone has to invest considerable effort to achieve this. Question: Is interbase security enough or are there tools to prise the data out without knowing the passwords to the database? I realise it is going to be more secure if I encrypt data inside the database as well but this adds load to every store and retrieve operation which I am hoping to avoid. ---------------------------------------------------------- Phil Scadden, Institute of Geological and Nuclear Sciences 41 Bell Rd South, PO Box 30368, Lower Hutt, New Zealand Ph +64 4 5704821, fax +64 4 5704603 ------------------------------------------------------------------------ --- New Zealand Delphi Users group - Database List - [EMAIL PROTECTED] Website: http://www.delphi.org.nz --------------------------------------------------------------------------- New Zealand Delphi Users group - Database List - [EMAIL PROTECTED] Website: http://www.delphi.org.nz
