Re: disable creations of new databases when running the network server

2023-10-04 Thread Oscar Melendez 
Problem bro help please

El sáb, 16 de sept de 2023, 12:06 p. m., Rick Hillegas <
rick.hille...@gmail.com> escribió:

> You are correct. Any valid user can create as many databases as they
> want, provided that the databases are created in a part of the file
> system which is write-accessible to the engine jar and to the account
> which runs the server. There is no way to prevent a valid user from
> creating databases.
>
> On 9/15/23 11:51 PM, fed wrote:
> > Hi,
> >
> > My doubt is that, if I am not wrong, every user that can connect to the
> > network server can create a new database and so indirectly a new
> directory
> > in the same places where the user that runs the network server have write
> > permissions.
> > I would prefer to create the database not directly on the network server
> > but with the embedded driver and then later make it available on the
> > network server.
> > Maybe it is possible to limit this behaviour via the security manager
> but I
> > don't think this can change a lot of the behaviour.
> >
> > Is it possible to disable/prevent/limit this?
> >
> > Thanks for the help
> > - fed
> >
>
>

Re: disable creations of new databases when running the network server

2023-09-29 Thread Rick Hillegas 
Yes, that's what I meant. The valid users are the users declared in your 
network-wide authentication scheme, which in your case is NATIVE 
authentication using a credentials database.


On 9/29/23 12:30 PM, fed wrote:

Hi Rick,

thanks for the answer, I know it seems an obvious question but what do you
mean with "valid user" ?
I try to explain: my setup is this one (I asked help for it time ago in the
mailing list):

a dbs/ dir (that is derby.system.home) where I have all of my db (db1, db2,
db3 etc) every one with their own native authentication and a credentials
db used by the network server, with derby,properties that is

derby.authentication.provider=NATIVE:credentials

the valid users that can create a new db are the one defined in the
credentials db, right?

Thanks for the help.
- fed



On Sat, 16 Sept 2023 at 20:04, Rick Hillegas 
wrote:


You are correct. Any valid user can create as many databases as they
want, provided that the databases are created in a part of the file
system which is write-accessible to the engine jar and to the account
which runs the server. There is no way to prevent a valid user from
creating databases.

On 9/15/23 11:51 PM, fed wrote:

Hi,

My doubt is that, if I am not wrong, every user that can connect to the
network server can create a new database and so indirectly a new

directory

in the same places where the user that runs the network server have write
permissions.
I would prefer to create the database not directly on the network server
but with the embedded driver and then later make it available on the
network server.
Maybe it is possible to limit this behaviour via the security manager

but I

don't think this can change a lot of the behaviour.

Is it possible to disable/prevent/limit this?

Thanks for the help
- fed

Re: disable creations of new databases when running the network server

2023-09-29 Thread fed 
Hi Rick,

thanks for the answer, I know it seems an obvious question but what do you
mean with "valid user" ?
I try to explain: my setup is this one (I asked help for it time ago in the
mailing list):

a dbs/ dir (that is derby.system.home) where I have all of my db (db1, db2,
db3 etc) every one with their own native authentication and a credentials
db used by the network server, with derby,properties that is

derby.authentication.provider=NATIVE:credentials

the valid users that can create a new db are the one defined in the
credentials db, right?

Thanks for the help.
- fed



On Sat, 16 Sept 2023 at 20:04, Rick Hillegas 
wrote:

> You are correct. Any valid user can create as many databases as they
> want, provided that the databases are created in a part of the file
> system which is write-accessible to the engine jar and to the account
> which runs the server. There is no way to prevent a valid user from
> creating databases.
>
> On 9/15/23 11:51 PM, fed wrote:
> > Hi,
> >
> > My doubt is that, if I am not wrong, every user that can connect to the
> > network server can create a new database and so indirectly a new
> directory
> > in the same places where the user that runs the network server have write
> > permissions.
> > I would prefer to create the database not directly on the network server
> > but with the embedded driver and then later make it available on the
> > network server.
> > Maybe it is possible to limit this behaviour via the security manager
> but I
> > don't think this can change a lot of the behaviour.
> >
> > Is it possible to disable/prevent/limit this?
> >
> > Thanks for the help
> > - fed
> >
>
>

Re: disable creations of new databases when running the network server

2023-09-16 Thread Rick Hillegas 
You are correct. Any valid user can create as many databases as they 
want, provided that the databases are created in a part of the file 
system which is write-accessible to the engine jar and to the account 
which runs the server. There is no way to prevent a valid user from 
creating databases.


On 9/15/23 11:51 PM, fed wrote:

Hi,

My doubt is that, if I am not wrong, every user that can connect to the
network server can create a new database and so indirectly a new directory
in the same places where the user that runs the network server have write
permissions.
I would prefer to create the database not directly on the network server
but with the embedded driver and then later make it available on the
network server.
Maybe it is possible to limit this behaviour via the security manager but I
don't think this can change a lot of the behaviour.

Is it possible to disable/prevent/limit this?

Thanks for the help
- fed

Re: disable creations of new databases when running the network server

2023-09-16 Thread Stanimir Stamenkov via derby-user 

Sat, 16 Sep 2023 08:51:39 +0200, /fed/:

My doubt is that, if I am not wrong, every user that can connect to the 
network server can create a new database and so indirectly a new 
directory in the same places where the user that runs the network server 
have write permissions.
I would prefer to create the database not directly on the network server 
but with the embedded driver and then later make it available on the 
network server.
Maybe it is possible to limit this behaviour via the security manager 
but I don't think this can change a lot of the behaviour.


Is it possible to disable/prevent/limit this?


That's an interesting question I'm also curios about.

I've found the following documentation references that could be explored 
while waiting for more knowledgeable respondents to chime in:


  * Configuring user authorization (Derby Security Guide) 

  * Configuring fine-grained user authorization 



If you are using LDAP authentication, then you will need to enable 
fine-grained  authorization by setting the derby.database.sqlAuthorization 
property to true.


If you use NATIVE authentication, there is no need to set the 
derby.database.sqlAuthorization property. NATIVE authentication 
automatically enables fine-grained authorization.


"SQL standard authorization":

  * derby.database.sqlAuthorization (Derby Reference Manual) 



I couldn't find specific privileges about creating a database – have you 
tried if enabling "SQL standard authorization" (if not already?) 
disables this for remote access and/or non-admin users?


--
Stanimir

disable creations of new databases when running the network server

2023-09-16 Thread fed 
Hi,

My doubt is that, if I am not wrong, every user that can connect to the
network server can create a new database and so indirectly a new directory
in the same places where the user that runs the network server have write
permissions.
I would prefer to create the database not directly on the network server
but with the embedded driver and then later make it available on the
network server.
Maybe it is possible to limit this behaviour via the security manager but I
don't think this can change a lot of the behaviour.

Is it possible to disable/prevent/limit this?

Thanks for the help
- fed