I think Adriano is taking about the fact that someone from Java code running
inside Firebird would be able to make an embedded connection to any database
running on the same server. That is a totally different security threat than
the capability that a normal Java program with Jaybird has (as it is either not
running on a Firebird server, or with an (OS) user that doesn't have access to
those databases).
Mark
----- Bericht beantwoorden -----
Van: "Alex Peshkoff" <peshk...@mail.ru>
Aan: <firebird-devel@lists.sourceforge.net>
Onderwerp: [Firebird-devel] FB/Java embedded connections
Datum: do, mei 19, 2016 18:53
On 05/19/2016 07:15 PM, Adriano dos Santos Fernandes wrote:
> Hi!
>
> FB/Java plugin has permission system.
>
> By default, one can create his routines but are limited for example to
> not access the server filesystem.
>
> Sys admin can grant Java permissions to users and roles.
>
> But there is a problem with embedded connections.
>
> If one uses the Jaybird server-side JDBC driver, he can connect to any
> database without user names.
>
> It would be possible to disallow embedded connections, but seems like a
> bad solution.
>
> One will need to use slower method to connect to others databases in the
> same server.
>
> How this embedded connections that don't verify user names will going to
> be fixed at least for such cases?
You know yourself that for embedded connections on open source product
any credential validation is not reliable - everyone can rebuild
required dynamic library commenting out 2-3 lines where needed and
become SYSDBA. I think that the only reliable thing for embedded is
rights of OS user. Use of them to check access to host filesystem
appears native.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
