On Wed, Jul 27, 2011 at 15:35, Tony Whyman
<tony.why...@mccallumwhyman.com>wrote:
> This is really a general UDF problem and another reason why you need to
> be very careful about deploying them. The only difference between an
> embedded function and UDF one is that theoretically a System Admin
> should check the UDF before installing it....
>
> Otherwise, it has the same potential to damage.
>
If you have a programming language compiler or interpretor at hand, the last
security hole will be the UDF because I can do what ever I want with a
programming language :)
If people have access to firebird and load malicious shard library, then it
does not matter anymore, because firebird does not contain a specific shared
library structure, but use the OS to load it and execute the code.
Firebird should create a lot of mechanises to protect of loading UDF, but
once you passed them, there is not much that can be done imho.
>
> On 27/07/11 12:40, Alex Peshkoff wrote:
> > On 07/27/11 15:11, Tony Whyman wrote:
> >> 6. Just in time compilation of the embedded procedure on first use
> >> (after create/alter) into a shared library/DLL which is then effectively
> >> a dynamically generated UDF library. A JIT approach is important because
> >> the database can be moved between processor architectures/platforms and
> >> it is important to be able to recompile automatically for the new
> platform.
> > Before doing JIT, we must think about related security issues. How can
> > we prevent pascal procedure from doing bad things with firebird runuser
> > access rights?
> >
> >
> >
> ------------------------------------------------------------------------------
> > Got Input? Slashdot Needs You.
> > Take our quick survey online. Come on, we don't ask for help often.
> > Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> > http://p.sf.net/sfu/slashdot-survey
> > Firebird-Devel mailing list, web interface at
> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> Firebird-Devel mailing list, web interface at
> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
