Submitted By: pcisar
Put here from mers newslist post :
Some time ago I found out that default Linux
installation of IB4.0 introduces Huge security holes.
I've put up some thoughts about it at
Pretty much all outlined above is still valid for
InterBase 6.0, at least SuperServer which I have just
(re)installed. This is not good.
The point here is that _default_ installation must be
Just to sum up what should necessarily be done in
- create 'interbas' (or some other) unix user
- all installed files should be owned by that user
- through 'gsec', add an entry in isc4.gdb for
- through 'isql', exec 'grant all on users to
/opt/interbase/isc4.gdb security database to which
attached as sysdba - the point here is that all
maintenance will be performed by 'interbas' user,
step is necessary to allow 'interbas' managing user
- fix 666 (or 777) modes on some files.
- create directory /var/interbase (or something like
where .gdb files will be stored (or somewhere in
Somewhere deep in server code:
- check which will prevent InterBase daemon from as root
I'm sure there are even more things that should be
taken care of.
Comments and flames welcome,
Although the actual bug is not described here, the
solution is very similar to one posted to a mers
newsgroup by firstname.lastname@example.org
about a year ago. If it
is the same bug (it wasn't described there either) then
it is limited to only single Interbase feature.
The bug applies equally to Windows NT.
Either system can be taken out/over in less than a
minute by a user with a valid Interbase account (I
timed myself on Unix typing commands at the command
Borland had the Unix version of the bug listed but I
never bothered to check the status of the Windows bug -
I presumed it was known.
I notice that the poster does not recommend leaving the
lock manager running as suid root - which I had thought
was necessary (in the classic architecture) and safe.
If anyone would like further information or my ideas on
this bug and its solution feel free to contact me.
PS: I have been out of the Interbase development
environment for a while - it is interesting to see how
things have moved on.