[Firebird-devel] [FB-Tracker] Created: (CORE-3797) non-priviledged user can know real name of database file even when connected via it`s alias

Sat, 24 Mar 2012 13:08:30 -0700 

non-priviledged user can know real name of database file even when connected 
via it`s alias
-------------------------------------------------------------------------------------------

                 Key: CORE-3797
                 URL: http://tracker.firebirdsql.org/browse/CORE-3797
             Project: Firebird Core
          Issue Type: Task
    Affects Versions: 2.5.1
            Reporter: Pavel Zotov


I think that the following ability of non-priviledged user is somewhat like 
hole in security, but of cousre I can mistake.
Suppose we have some folder where our databases live: c:\some_hidden_place

C:
CD\
MD \SOME_HIDDEN_PLACE

Let's create database and common user:

C:\SOME_HIDDEN_PLACE>isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'c:\some_hidden_place\t1.fdb'; commit;
SQL> create user u0 password 'u0'; commit;
SQL> exit;

Then add alias for this database file to aliases.conf:

openname = c:\some_hidden_place\t1.fdb

And connect to this database via it's alias as user 'u0':

C:\>isql.exe localhost/3050:openname -user u0 -pas u0
Database:  localhost/3050:openname, User: u0
SQL> 

Now this user u0 can easy to know the real name of database file:

SQL> set list on;
SQL> select MON$DATABASE_NAME from mon$database;

MON$DATABASE_NAME               C:\SOME_HIDDEN_PLACE\T1.FDB

PS.
ISQL Version: WI-V2.5.2.26390 Firebird 2.5
Server version:
Firebird/x86/Windows NT (access method), version "WI-V2.5.2.26426 Firebird 2.5 
online-val-3"
Firebird/x86/Windows NT (remote server), version "WI-V2.5.2.26426 Firebird 2.5 
online-val-3/tcp (balaha)/P12"
Firebird/x86/Windows NT (remote interface), version "WI-V2.5.2.26390 Firebird 
2.5/tcp (balaha)/P12"
on disk structure version 11.2

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to