dimitr
e55369deef
Update.
|
16 gadi atpakaļ | |
|---|---|---|
| .. | ||
| sql.extensions | 21 gadi atpakaļ | |
| Firebird_conf.txt | 22 gadi atpakaļ | |
| README.NTSecurity | 22 gadi atpakaļ | |
| README.Win32LibraryInstallation.txt | 22 gadi atpakaļ | |
| README.build.mingw.html | 22 gadi atpakaļ | |
| README.build.msvc.html | 22 gadi atpakaļ | |
| README.install.Solaris_on_Intel | 21 gadi atpakaļ | |
| README.instsvc | 22 gadi atpakaļ | |
| README.makefiles | 23 gadi atpakaļ | |
| README.user | 22 gadi atpakaļ | |
| README.user.embedded | 21 gadi atpakaļ | |
| README.user.troubleshooting | 22 gadi atpakaļ | |
| WhatsNew | 16 gadi atpakaļ | |
| fb2-todo.txt | 22 gadi atpakaļ | |
| install_win32.txt | 22 gadi atpakaļ | |
README.NTSecurity
Issue:
======
If the LocalSystem user is allowed to install the Firebird Service,
it could make the whole system accessible to a malicious attacker.
Scope:
======
Affects Windows NT platforms.
Document author:
=================
Alex Peshkov ([email protected])
Document date: 2003/06/22
==============
Firebird installation kits for Windows NT systems, i.e. those that
support services, currently provide a route into the host system
for any hacker who finds a new security hole in Firebird. All of
the current kits install the Firebird service to run under the
LocalSystem account. Through Firebird, the attacker can get
LocalSystem access to the system.
The steps to fix things manually are simple:
1) add the user 'firebird' as a member of the Domain users group,
with default rights
2) grant this user write access to all databases, including
security.fdb (isc4.gdb in pre-1.5 versions), and the
firebird.log file
3) grant the user 'firebird' rights to "Login as service"
4) make the Firebird services (FirebirdServer and FirebirdGuardian,
if used, log in with username 'firebird'
Solution:
=========
Alex Peshkov
People writing installers should note that Firebird's standard routine
to install and manage the Firebird Service on WinNT/2000/XP platforms
(instsvc.exe) was upgraded in version 1.5 by the addition of an
optional L[ogin] switch to the {install} command. It is strongly
recommended that you employ this switch in the Windows kits, to make
the 'firebird' user, not LocalSystem, the default account under which
the Firebird Service logs in.
For more details, see the document README.instsvc
switch to (see instsvc.exe).
======
If the LocalSystem user is allowed to install the Firebird Service,
it could make the whole system accessible to a malicious attacker.
Scope:
======
Affects Windows NT platforms.
Document author:
=================
Alex Peshkov ([email protected])
Document date: 2003/06/22
==============
Firebird installation kits for Windows NT systems, i.e. those that
support services, currently provide a route into the host system
for any hacker who finds a new security hole in Firebird. All of
the current kits install the Firebird service to run under the
LocalSystem account. Through Firebird, the attacker can get
LocalSystem access to the system.
The steps to fix things manually are simple:
1) add the user 'firebird' as a member of the Domain users group,
with default rights
2) grant this user write access to all databases, including
security.fdb (isc4.gdb in pre-1.5 versions), and the
firebird.log file
3) grant the user 'firebird' rights to "Login as service"
4) make the Firebird services (FirebirdServer and FirebirdGuardian,
if used, log in with username 'firebird'
Solution:
=========
Alex Peshkov
People writing installers should note that Firebird's standard routine
to install and manage the Firebird Service on WinNT/2000/XP platforms
(instsvc.exe) was upgraded in version 1.5 by the addition of an
optional L[ogin] switch to the {install} command. It is strongly
recommended that you employ this switch in the Windows kits, to make
the 'firebird' user, not LocalSystem, the default account under which
the Firebird Service logs in.
For more details, see the document README.instsvc
switch to (see instsvc.exe).