From: Sasa Z. <pu...@sz...> - 2005-08-14 18:15:51
|
Hi Vladimir, Thank you for new release. BLOB works correctly now. Few notes about new User service: 1. On Creating/Modify user, password/confirm string stays from previously visited user 2. On enter in Users page, automatical get info is preferable Sasa -- www.szutils.net |
From: Vladimir T. <pr...@hm...> - 2005-08-15 08:42:30
|
Hi Sasa, > > BLOB works correctly now. Very well :-) > > Few notes about new User service: > > 1. On Creating/Modify user, password/confirm string stays from > previously visited user It is impossible. This information is inaccessible to me. Firebird server does not give such information. This of schema works only in one party, client --> to server. > > 2. On enter in Users page, automatical get info is preferable > Ok! -- Best regards, Vladimir Tsvigun |
From: Sasa Z. <pu...@sz...> - 2005-08-15 15:30:37
|
Hi Vladimir, > > 1. On Creating/Modify user, password/confirm string stays from > > previously visited user > > It is impossible. > This information is inaccessible to me. > Firebird server does not give such information. > This of schema works only in one party, > client --> to server. Sorry, badly wrote. Problem is that password/confirm strings modified in one user are not cleared when you try to change pasword of anther user (even SYSTEM) To reproduce the problem: 1. Add new user 2. Select SYSDBA user 3. Click to modify data on SYSDBA. - on password/confirm edit field will be entered password/confirm string from previously user you add 4. When we continue furthder and confirm passwrd change we will modify SYSDBA with password from that new user Other related issues: 1. Changed password on SYSDBA which consist only one space character is acceptable! After that database is not accessable anymore. That should be forbiden. 2. Security issue on changing SYSDBA password. I suggest confirm form before sending request. Thank you for your time. Sasa -- www.szutils.net |
From: Vladimir T. <pr...@hm...> - 2005-08-24 18:56:54
|
Hi Sasa, > > To reproduce the problem: > > 1. Add new user > > 2. Select SYSDBA user > > 3. Click to modify data on SYSDBA. - on password/confirm edit field > will be entered password/confirm string from previously user you add > > 4. When we continue furthder and confirm passwrd change we will modify > SYSDBA with password from that new user > CVS fixed > > Other related issues: > > 1. Changed password on SYSDBA which consist only one space character is > acceptable! After that database is not accessable anymore. That should > be forbiden. CVS fixed > > 2. Security issue on changing SYSDBA password. I suggest confirm form > before sending request. Ok! I shall think. Probably to this it is necessary to add disabled button "DELETE USER" if the select SYSDBA -- Best regards, Vladimir Tsvigun |
From: Sasa Z. <pu...@sz...> - 2005-08-24 20:36:39
|
Hi Vladimir, > > 2. Security issue on changing SYSDBA password. I suggest confirm > > form before sending request. > > Ok! I shall think. Probably to this it is necessary to add > disabled button "DELETE USER" if the select SYSDBA On other hand, maybe it is better to forbid all changes on SYSDBA user. Everyone a bit skilled can make database unaccesable/usless if change password of SYSDBA (if original password is saved and accesable from driver). A professional person will change it with USER GRANT command and amateur will be blocked to potentialy create a big damage. I have experience with that sort of persons behavior in the past who was consider self "smart" and experiment widely on they own "feeling" (purely in Eglish and totaly OS amateurs - an application user personel) with all kind of security system parameters and usualy create unrecoverable damage. Sasa -- www.szutils.net |
From: Vladimir T. <pr...@hm...> - 2005-08-24 21:34:50
|
Hi Sasa, > On other hand, maybe it is better to forbid all changes on SYSDBA user. > Everyone a bit skilled can make database unaccesable/usless if change > password of SYSDBA (if original password is saved and accesable from > driver). A professional person will change it with USER GRANT command > and amateur will be blocked to potentialy create a big damage. I think you are right. Agrees. -- Best regards, Vladimir Tsvigun |