On 19-5-2016 23:33, Leyne, Sean wrote: > >> I think Adriano is taking about the fact that someone from Java code running >> inside Firebird would be able to make an embedded connection to any >> database running on the same server. That is a totally different security >> threat than the capability that a normal Java program with Jaybird has (as >> it is >> either not running on a Firebird server, or with an (OS) user that doesn't >> have >> access to those databases). > > But that is the risk of running multiple databases and applications which use > embedded engine on the same server. > > There are several ways to address that risk: > > 1 - don't do it, use separate machines > 2 - use VMs to provide isolation > 3 - use containers to provide isolation
We are specifically talking about java "stored procedures", so Java code running inside Firebird. That means that it already has file level permissions to the same databases that the server has access to. So using VMs or other containers sounds nice, but that would mean that you need a Firebird VM per database and make sure that those VMs or container. I don't think most users of Firebird will be waiting for the additional complexity of doing that. BTW, this risk also exists for normal UDFs. Mark -- Mark Rotteveel ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
