On 2/10/19 12:07 PM, Mark Rotteveel wrote:
While answering a question on Stack Overflow about restoring with
gbak, I was thinking about the implications of the new system
privilege USE_GBAK_UTILITY.
A user that can backup and restore a database can do a lot more to a
database. They can backup a database, manipulate it in some way on
another machine and then restore the manipulated database (or another
database entirely). Granting a user USE_GBAK_UTILITY essentially gives
them indirect RDB$ADMIN rights.
The only real protection against this is a database constantly being
in use (which can be circumvented if the user also has
USE_GFIX_UTILITY so they can shut down the database).
We may want to explicitly document this as an important caveat, as the
implications may not be immediately clear.
I think it might also be a good idea to provide two separate
privileges (eg USE_GBAK_BACKUP, USE_GBAK_RESTORE), and maybe even drop
the USE_GBAK_UTILITY entirely.
Mark, have you paid attention that to peform some activity one should
have all required permissions? For example to replace database using
gbak's -rep switch DROP_DATABASE permission is also needed.
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
