|
From: <ale...@us...> - 2013-11-22 15:21:14
|
Revision: 58822
http://sourceforge.net/p/firebird/code/58822
Author: alexpeshkoff
Date: 2013-11-22 15:21:11 +0000 (Fri, 22 Nov 2013)
Log Message:
-----------
Implemented CORE-4273: Per-database control on access to database from remote stations
Modified Paths:
--------------
firebird/trunk/builds/install/misc/databases.conf.in
firebird/trunk/src/auth/SecureRemotePassword/manage/SrpManagement.cpp
firebird/trunk/src/auth/SecurityDatabase/LegacyManagement.epp
firebird/trunk/src/burp/burp.cpp
firebird/trunk/src/common/config/config.cpp
firebird/trunk/src/common/config/config.h
firebird/trunk/src/include/consts_pub.h
firebird/trunk/src/jrd/jrd.cpp
firebird/trunk/src/jrd/tra.cpp
firebird/trunk/src/remote/server/server.cpp
Modified: firebird/trunk/builds/install/misc/databases.conf.in
===================================================================
--- firebird/trunk/builds/install/misc/databases.conf.in 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/builds/install/misc/databases.conf.in 2013-11-22 15:21:11 UTC (rev 58822)
@@ -21,5 +21,14 @@
employee = $(dir_sampledb)/employee.fdb
#
+# Master security database specific setup.
+# Do not remove it until you understand well what are you doing!
+#
+security.db = $(root)/security3.fdb
+{
+ RemoteAccess = false
+}
+
+#
# Live Databases:
#
Modified: firebird/trunk/src/auth/SecureRemotePassword/manage/SrpManagement.cpp
===================================================================
--- firebird/trunk/src/auth/SecureRemotePassword/manage/SrpManagement.cpp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/auth/SecureRemotePassword/manage/SrpManagement.cpp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -187,7 +187,6 @@
}
Firebird::ClumpletWriter dpb(Firebird::ClumpletReader::dpbList, MAX_DPB_SIZE);
- dpb.insertByte(isc_dpb_gsec_attach, TRUE);
dpb.insertByte(isc_dpb_sec_attach, TRUE);
const unsigned char* authBlock;
Modified: firebird/trunk/src/auth/SecurityDatabase/LegacyManagement.epp
===================================================================
--- firebird/trunk/src/auth/SecurityDatabase/LegacyManagement.epp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/auth/SecurityDatabase/LegacyManagement.epp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -147,7 +147,6 @@
}
Firebird::ClumpletWriter dpb(Firebird::ClumpletReader::dpbList, MAX_DPB_SIZE);
- dpb.insertByte(isc_dpb_gsec_attach, TRUE);
dpb.insertByte(isc_dpb_sec_attach, TRUE);
const unsigned char* authBlock;
Modified: firebird/trunk/src/burp/burp.cpp
===================================================================
--- firebird/trunk/src/burp/burp.cpp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/burp/burp.cpp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -943,7 +943,6 @@
Firebird::ClumpletWriter dpb(Firebird::ClumpletReader::Tagged, MAX_DPB_SIZE, isc_dpb_version1);
dpb.insertString(isc_dpb_gbak_attach, FB_VERSION, strlen(FB_VERSION));
- dpb.insertByte(isc_dpb_gsec_attach, 1); // make it possible to have local security backups
uSvc->fillDpb(dpb);
const UCHAR* authBlock;
Modified: firebird/trunk/src/common/config/config.cpp
===================================================================
--- firebird/trunk/src/common/config/config.cpp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/common/config/config.cpp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -179,7 +179,8 @@
{TYPE_BOOLEAN, "SharedDatabase", (ConfigValue) false},
{TYPE_STRING, "WireCrypt", (ConfigValue) NULL},
{TYPE_STRING, "WireCryptPlugin", (ConfigValue) "Arc4"},
- {TYPE_STRING, "KeyHolderPlugin", (ConfigValue) ""}
+ {TYPE_STRING, "KeyHolderPlugin", (ConfigValue) ""},
+ {TYPE_BOOLEAN, "RemoteAccess", (ConfigValue) true}
};
/******************************************************************************
@@ -720,3 +721,8 @@
else // the safest choice
return WIRE_CRYPT_REQUIRED;
}
+
+bool Config::getRemoteAccess() const
+{
+ return get<bool>(KEY_REMOTE_ACCESS);
+}
Modified: firebird/trunk/src/common/config/config.h
===================================================================
--- firebird/trunk/src/common/config/config.h 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/common/config/config.h 2013-11-22 15:21:11 UTC (rev 58822)
@@ -69,12 +69,6 @@
extern const char* GCPolicyBackground;
extern const char* GCPolicyCombined;
-extern const char* AmNative;
-extern const char* AmTrusted;
-extern const char* AmMixed;
-
-enum AmCache {AM_UNKNOWN, AM_DISABLED, AM_ENABLED};
-
const int WIRE_CRYPT_DISABLED = 0;
const int WIRE_CRYPT_ENABLED = 1;
const int WIRE_CRYPT_REQUIRED = 2;
@@ -140,6 +134,7 @@
KEY_WIRE_CRYPT,
KEY_PLUG_WIRE_CRYPT,
KEY_PLUG_KEY_HOLDER,
+ KEY_REMOTE_ACCESS,
MAX_CONFIG_KEY // keep it last
};
@@ -332,6 +327,8 @@
const char* getSecurityDatabase() const;
int getWireCrypt(WireCryptMode wcMode) const;
+
+ bool getRemoteAccess() const;
};
// Implementation of interface to access master configuration file
Modified: firebird/trunk/src/include/consts_pub.h
===================================================================
--- firebird/trunk/src/include/consts_pub.h 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/include/consts_pub.h 2013-11-22 15:21:11 UTC (rev 58822)
@@ -101,7 +101,7 @@
#define isc_dpb_gfix_attach 66
#define isc_dpb_gstat_attach 67
#define isc_dpb_set_db_charset 68
-#define isc_dpb_gsec_attach 69
+/* #define isc_dpb_gsec_attach 69 */
#define isc_dpb_address_path 70
#define isc_dpb_process_id 71
#define isc_dpb_no_db_triggers 72
Modified: firebird/trunk/src/jrd/jrd.cpp
===================================================================
--- firebird/trunk/src/jrd/jrd.cpp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/jrd/jrd.cpp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -821,7 +821,6 @@
bool dpb_overwrite;
bool dpb_sec_attach;
bool dpb_disable_wal;
- bool dpb_gsec_attach;
SLONG dpb_connect_timeout;
SLONG dpb_dummy_packet_interval;
bool dpb_db_readonly;
@@ -942,7 +941,7 @@
static void handle_error(Firebird::IStatus*, ISC_STATUS);
namespace {
- enum VdnResult {VDN_FAIL, VDN_OK, VDN_SECURITY};
+ enum VdnResult {VDN_FAIL, VDN_OK/*, VDN_SECURITY*/};
}
static VdnResult verifyDatabaseName(const PathName&, ISC_STATUS*, bool);
@@ -1315,13 +1314,11 @@
// Initialize special error handling
try
{
- // If database to be opened is security database, then only
- // gsec or SecurityDatabase may open it. This protects from use
- // of old gsec to write wrong password hashes into it.
- if (vdn == VDN_SECURITY && !options.dpb_gsec_attach && !options.dpb_sec_attach)
+ // Check for ability to access requested DB remotely
+ if (options.dpb_remote_address.hasData() && !config->getRemoteAccess())
{
- ERR_post(Arg::Gds(isc_no_priv) << Arg::Str("direct") <<
- Arg::Str("security database") <<
+ ERR_post(Arg::Gds(isc_no_priv) << Arg::Str("remote") <<
+ Arg::Str("database") <<
Arg::Str(org_filename));
}
@@ -2417,13 +2414,11 @@
// Initialize special error handling
try
{
- // If database to be opened is security database, then only
- // gsec or SecurityDatabase can open it. This protects from use
- // of old gsec to write wrong password hashes into it.
- if (vdn == VDN_SECURITY && !options.dpb_gsec_attach && !options.dpb_sec_attach)
+ // Check for ability to access requested DB remotely
+ if (options.dpb_remote_address.hasData() && !config->getRemoteAccess())
{
- ERR_post(Arg::Gds(isc_no_priv) << Arg::Str("direct") <<
- Arg::Str("security database") <<
+ ERR_post(Arg::Gds(isc_no_priv) << Arg::Str("remote") <<
+ Arg::Str("database") <<
Arg::Str(org_filename));
}
@@ -5703,10 +5698,6 @@
dpb_gfix_attach = true;
break;
- case isc_dpb_gsec_attach:
- dpb_gsec_attach = rdr.getBoolean();
- break;
-
case isc_dpb_disable_wal:
dpb_disable_wal = true;
break;
@@ -6957,7 +6948,7 @@
**/
static VdnResult verifyDatabaseName(const PathName& name, ISC_STATUS* status, bool is_alias)
{
- // Check for security2.fdb
+ // Check for securityX.fdb
static GlobalPtr<PathName> securityNameBuffer, expandedSecurityNameBuffer;
static GlobalPtr<Mutex> mutex;
@@ -6972,10 +6963,11 @@
}
if (name == securityNameBuffer || name == expandedSecurityNameBuffer)
- return VDN_SECURITY;
+ return VDN_OK;
// Check for .conf
- if (!JRD_verify_database_access(name)) {
+ if (!JRD_verify_database_access(name))
+ {
if (!is_alias) {
ERR_build_status(status, Arg::Gds(isc_conf_access_denied) << Arg::Str("database") <<
Arg::Str(name));
Modified: firebird/trunk/src/jrd/tra.cpp
===================================================================
--- firebird/trunk/src/jrd/tra.cpp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/jrd/tra.cpp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -2494,8 +2494,6 @@
Firebird::ClumpletWriter dpb(Firebird::ClumpletReader::Tagged, MAX_DPB_SIZE, isc_dpb_version1);
dpb.insertByte(isc_dpb_sweep, isc_dpb_records);
- // sometimes security database is also to be swept
- dpb.insertByte(isc_dpb_gsec_attach, 1);
// use trusted authentication to attach database
const char* szAuthenticator = "sweeper";
dpb.insertString(isc_dpb_trusted_auth, szAuthenticator, strlen(szAuthenticator));
Modified: firebird/trunk/src/remote/server/server.cpp
===================================================================
--- firebird/trunk/src/remote/server/server.cpp 2013-11-22 08:10:50 UTC (rev 58821)
+++ firebird/trunk/src/remote/server/server.cpp 2013-11-22 15:21:11 UTC (rev 58822)
@@ -2112,10 +2112,6 @@
{
switch (pb->getClumpTag())
{
- // Disable remote gsec attachments
- case isc_dpb_gsec_attach:
- case isc_dpb_sec_attach:
-
// remove trusted auth & trusted role if present (security measure)
case isc_dpb_trusted_role:
case isc_dpb_trusted_auth:
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|