[Pkg-firebird-general] Fw: [Firebird-devel] Patch for
vulnerability firebird 1.0.3 ?
Remco Seesink
raseesink@hotpop.com
Wed, 16 Jun 2004 19:30:32 +0200
> It would be nice not to abandon 1.0.X.
>
>
> Is the following workarround acceptable?
>
> fb1.3 should not be run as root.
It already runs as user firebird, so this should work.
>
> A lot can be done to tighten up the security by changing the runtime
> user of the servers to be "firebird:firebird" (this is now the default
> in f1.5).
>
> Also for classic restricting users to be in the group firebird to
> directly access databases and /opt/firebird/* files.
That would be /var/lib/firebird in debian. Are you talking about restricting
by setting users / permission? This is already done. Or do you mean some
kind of configuration?
> This means a break in the server will not give root access at least.
>
> In f1.0.X running servers as firebird:firebird is optional, as it causes
> a few user permission problems - but it's better than abandoning the
> package.
>
> Some buffer overflows fixes should also be backported (env variables and
> filenames, spring to mind).
>
Ok. We can backport security fixes even after sarge releases, but the sooner
the beter.
> But the recommendation would be to use the f1.5 version, and 1.0.X only
> if needed.
I am preparing a firebird 1.0.3 package right now which gives a big security
warning when installing and in the documentation and advises to use 1.5.x
when security is important.
Cheers,
Remco.