Configuring External Locations - Firebird

Having external code and data that are accessed by the server can present a security vulnerability if the server’s filesystem is inadequately protected from intruders or is exposed through holes in the network. These external pieces can be made less vulnerable by configuring restrictions on where the Firebird engine may access them. The capability to deny access to unrecognized locations helps in the overall task of securing the filesystem and the network.

Settings in the Configuration File

The Firebird configuration file, as discussed earlier in this chapter, provides settings for restricting access to external function libraries, BLOB filter modules, and data files linked to tables defined using CREATE TABLE.<table-name> EXTERNAL (external tables or EVTs). The settings for Firebird 1.5, in firebird.conf, are different from those for Firebird 1.0.x, in isc_config (POSIX) or ibconfig (Windows).

The v.1.5 configuration applies to any model of the v.1.5 server. The v.1.0.x configuration applies only to Superserver.

UdfAccess

Version 1.5 forward, in firebird.conf This parameter is used to restrict access to external function libraries and BLOB filter modules, perceived as a potential target for malicious intruder attacks. You can elect one of three levels of access to all such modules, to be applied serverwide. Before v.1.5, it was regarded as a benefit to be able to store external modules in multiple filesystem locations. It is now recommended that they be limited to a single tree or, in very exposed situations, disallowed altogether.

UdfAccess may be None, Restrict, or Full.

  • None disallows all use of user-defined external libraries. It is the installation default on most distributions.
  • Restrict (the default setting) restricts the location of callable external libraries to specific filesystem locations. By default, the search will begin in the /UDF directory beneath your Firebird root. To locate external function libraries or BLOB filter modules elsewhere in the local filesystem, supply a list of one or more directory tree-roots, separated by semicolons (;), within and beneath which these modules may be stored, for example:
POSIX:/db/extern;/mnt/extern Windows:C:\ExternalModules

Relative paths are treated as relative to the path that the running server recognizes as the root directory of the Firebird installation. For example, on Windows, if the root of the Firebird installation is C:\Program Files\ Firebird\ Firebird _1 _5, then the following value will restrict the server to accessing external files only if they are located in C:\Program Files\Firebird\Firebird_1_5\userdata\extern: UDFAccess = Restrict userdata\ExternalModules

  • Full permits external libraries to be accessed anywhere on the system. When Full access is enabled, the full file path and name must be included in the MODULE_NAME clause of the DECLARE EXTERNAL FUNCTION statement that declares the function to the database.

external_function_directory

Firebird 1.0.x, in isc_config/ibconfig

This parameter can be used in v.1.0.x to specify an arbitrary number of locations for external function libraries, BLOB filters, and/or character set modules. If this configuration parameter does not exist, Firebird checks the subdirectories ..\udf or..\intl beneath the path that the running server recognizes as the root directory of the Firebird installation. These are some examples:

external_function_directory <double-quoted directory path> external_function_directory "/opt/firebird/my_functions" external_function_directory "/opt/extlibs/lang" external_function_directory "d:\udfdir"

ExternalFileAccess

Version 1.5 forward, in firebird.conf

This parameter provides three levels of security regarding external files accessed from within the database through tables. The value is a string, which may be None, Full, or Restrict.

  • None (the default value) disables any use of external files on your server.
  • Restrict provides the ability to restrict the location of external files for database access to specific path-trees. Supply a list of one or more directory tree-roots, separated by semicolons (;), within and beneath which external files may be stored, for example:
Unix:/db/extern;/mnt/extern Windows:C:\ExternalTables

Relative paths are treated as relative to the path that the running server recognizes as the root directory of the Firebird installation.

For example, on Windows, if the root that the running server recognizes as the root directory of the Firebird installation is C:\Program Files\Firebird, then the following value will restrict the server to accessing external files only if they are located in C:\Program Files\Firebird\userdata\ExternalTables:

ExternalFileAccess = Restrict userdata\ExternalTables

The following entry on POSIX will restrict access to only files located in or beneath /exportdata or /importdata:

ExternalFileAccess = Restrict /exportdata;/importdata
  • Full permits external files to be accessed anywhere on the system.

external_file_directory

Firebird 1.0.x, in ibconfig

On Windows only, this is for concentrating external files into one or more restricted locations. There is no limit to the number of directories that can be in the search list. Make a one-line entry per directory as follows:

external_file_directory <double-quoted directory path> external_file_directory "d:\x-files"

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Firebird Topics