Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some standard calls show server installation directory to regular users [CORE1845] #2274

Closed
firebird-automations opened this issue Apr 17, 2008 · 18 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @AlexPeshkoff

Is related to QA216

In order to avoid extra security risks, given in restricted comment.

Commits: 31af3c8 ed638ce

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Using standard information items isc_info_svc_get_env, isc_info_svc_get_env_lock & isc_info_svc_get_env_msg one can get information about location of appropriate objects having regular login on firebird server.
Should be restricted for SYSDBA only use.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Open [ 1 ]

Target: 2.5 Alpha 1, 2.1.1, 1.5.6, 2.0.5 [ 10224, 10223, 10225, 10222 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Fix Version: 2.5 Alpha 1 [ 10224 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Fix Version: 2.1.1 [ 10223 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @dyemanov

Alex, I'm not sure it's worth backporting into v2.0 and v1.5. Your security patches for the service manager are committed into v2.1 only and this ticket just adds one more check there. This change alone won't make the service manager secure in old FB versions. And I don't think we should backport the whole batch of changes.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Dmitry, agreed here. It's really useless.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Target: 2.5 Alpha 1, 2.1.1, 1.5.6, 2.0.5 [ 10224, 10223, 10225, 10222 ] => 2.1.1, 2.5 Alpha 1 [ 10223, 10224 ]

status: Open [ 1 ] => Open [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: Volker Rehn (vr2_s18)

Some apps require a list of aliases. With customer-side installations, the sysdba pw is often unknown to deployers. A workaround could be to allow the DBO access to server info like isc_info_svc_get_env, because 2.5 with its rdb$admin isn't available yet for production.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Sorry, it's impossible. Service manager works in server, not database context, therefore DBO is meaningless for it.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Link: This issue block progress on QA216 [ QA216 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Link: This issue is related to QA216 [ QA216 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Link: This issue block progress on QA216 [ QA216 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @pcisar

Test added.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

QA Status: No test

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

QA Status: No test => Done successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment