The POSIX Hole - Firebird

Firebird can admit client connections to servers on POSIX platforms that bypass Firebird user authentication and use the operating system user and permissions scheme instead. It is a long-time feature that was inherited from InterBase virtually undocumented. Not knowing about it leaves a big security hole on POSIX platforms if the POSIX user access path is left wide open and the system admin mistakenly assumes that the security database is the ultimate gatekeeper.

It is not. When POSIX users log in without passing a Firebird user name and password, the authentication routine substitutes the current operating system identity for the Firebird user identity. If the operating system user has root privileges, be afraid—be very afraid.

In order for POSIX users to be allowed access to Firebird databases via their operating system user credentials, it is essential to define a trusted host relationship between the server and each client workstation. This translates to entries in /etc/host.equiv, or by other means, such as an .rhost file in the user’s home directory on the server.

The environment variables ISC_USER and ISC_PASSWORD must be eliminated from the system.


All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Firebird Topics