[Pkg-firebird-general] Fw: [Firebird-devel] Patch for vulnerability firebird 1.0.3 ?

Remco Seesink raseesink@hotpop.com
Wed, 16 Jun 2004 19:30:32 +0200

> It would be nice not to abandon 1.0.X.
> Is the following workarround acceptable?
> fb1.3 should not be run as root.
It already runs as user firebird, so this should work.

> A lot can be done to tighten up the security by changing the runtime 
> user of the servers to be "firebird:firebird" (this is now the default 
> in f1.5).
> Also for classic restricting users to be in the group firebird to 
> directly access databases and /opt/firebird/* files.

That would be /var/lib/firebird in debian. Are you talking about restricting
by setting users / permission? This is already done. Or do you mean some
kind of configuration?

> This means a break in the server will not give root access at least.
> In f1.0.X running servers as firebird:firebird is optional, as it causes 
> a few user permission problems - but it's better than abandoning the 
> package.
> Some buffer overflows fixes should also be backported (env variables and 
> filenames, spring to mind).
Ok. We can backport security fixes even after sarge releases, but the sooner
the beter.

> But the recommendation would be to use the f1.5 version, and 1.0.X only 
> if needed.

I am preparing a firebird 1.0.3 package right now which gives a big security
warning when installing and in the documentation and advises to use 1.5.x
when security is important.