On 12/12/2021 14:55, Dimitry Sibiryakov wrote: > Alex Peshkoff via Firebird-devel wrote 12.12.2021 18:52: >>> >>> If it does not return sensitive information, I see no problem in add >>> it to examples UDR project. >> >> With a check for SYSDBA I see no security risk with this UDR > > Isn't GRANT EXECUTE to RDB$ADMIN enough? Or UDRs are not subject of > SQL rights? >
The problem is that if it's available in the server, it can be declared in all databases. There is no external routines security in relation to databases. So an UDR reading sensitive information must control security itself. Adriano Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel