-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some standard calls show server installation directory to regular users [CORE1845] #2274
Comments
Commented by: @AlexPeshkoff Using standard information items isc_info_svc_get_env, isc_info_svc_get_env_lock & isc_info_svc_get_env_msg one can get information about location of appropriate objects having regular login on firebird server. |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Open [ 1 ] Target: 2.5 Alpha 1, 2.1.1, 1.5.6, 2.0.5 [ 10224, 10223, 10225, 10222 ] |
Modified by: @AlexPeshkoffFix Version: 2.5 Alpha 1 [ 10224 ] |
Modified by: @AlexPeshkoffFix Version: 2.1.1 [ 10223 ] |
Commented by: @dyemanov Alex, I'm not sure it's worth backporting into v2.0 and v1.5. Your security patches for the service manager are committed into v2.1 only and this ticket just adds one more check there. This change alone won't make the service manager secure in old FB versions. And I don't think we should backport the whole batch of changes. |
Commented by: @AlexPeshkoff Dmitry, agreed here. It's really useless. |
Modified by: @AlexPeshkoffTarget: 2.5 Alpha 1, 2.1.1, 1.5.6, 2.0.5 [ 10224, 10223, 10225, 10222 ] => 2.1.1, 2.5 Alpha 1 [ 10223, 10224 ] status: Open [ 1 ] => Open [ 1 ] |
Commented by: Volker Rehn (vr2_s18) Some apps require a list of aliases. With customer-side installations, the sysdba pw is often unknown to deployers. A workaround could be to allow the DBO access to server info like isc_info_svc_get_env, because 2.5 with its rdb$admin isn't available yet for production. |
Commented by: @AlexPeshkoff Sorry, it's impossible. Service manager works in server, not database context, therefore DBO is meaningless for it. |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Commented by: @pcisar Test added. |
Modified by: @pavel-zotovQA Status: No test |
Modified by: @pavel-zotovQA Status: No test => Done successfully |
Submitted by: @AlexPeshkoff
Is related to QA216
In order to avoid extra security risks, given in restricted comment.
Commits: 31af3c8 ed638ce
The text was updated successfully, but these errors were encountered: