On 20-5-2016 10:18, Alex Peshkoff wrote: > On 05/20/2016 10:17 AM, Dmitry Yemanov wrote: >> What about a new parameter in firebird.conf: EmbeddedDatabaseAccess, >> defaulted to "Restrict Self" (which is OK for 99% embedded apps)? > > Sorry looks like I do not understand what is suggested. What else values > can have that parameter? > >> It will be checked for outgoing embedded connections, as they're usually >> (*) handled by the same engine. > > As far as I understand Java (may be not very good) there is a layer > between Java code trying to attach to database and yvalve, i.e. Java > code can't call Provider::attachDatabase() directly. Am I right? If yes > we already have working solution in extds. > >> Remote connections will be always >> allowed and protected by the generic authentication. >> >> (*) The problem here is what to do if the external routine explicitly >> loads a different y-valve with possibly different engine (using a >> different configuration). >> > > If it's about routine in machine codes such routine should not exist on > server. Nor in UDF, nor in plugins. No other solutions. > What about Java - I hope call to dynamic library loader can be > restricted by VM?
Yes it can, but for example the client library (and embedded engine) is already loaded because that is used by FB/Java itself, so it is available. It might be possible to restrict access, but I don't know the Java SecurityManager well enough to answer that. It might be possible to do some ClassLoader magic to restrict access to the loaded library, and then deny access to load it again from other parts, but as the Java code also most be able to get the 'default' connection (access to the current connection), that might not be feasible. Mark -- Mark Rotteveel ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
