While answering a question on Stack Overflow about restoring with gbak,
I was thinking about the implications of the new system privilege
USE_GBAK_UTILITY.
A user that can backup and restore a database can do a lot more to a
database. They can backup a database, manipulate it in some way on
another machine and then restore the manipulated database (or another
database entirely). Granting a user USE_GBAK_UTILITY essentially gives
them indirect RDB$ADMIN rights.
The only real protection against this is a database constantly being in
use (which can be circumvented if the user also has USE_GFIX_UTILITY so
they can shut down the database).
We may want to explicitly document this as an important caveat, as the
implications may not be immediately clear.
I think it might also be a good idea to provide two separate privileges
(eg USE_GBAK_BACKUP, USE_GBAK_RESTORE), and maybe even drop the
USE_GBAK_UTILITY entirely.
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
