• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Databases and Permissions

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
d34dl0k1
Just Arrived
Just Arrived


Joined: 16 Mar 2007
Posts: 0


Offline

PostPosted: Mon Jun 04, 2007 11:58 pm    Post subject: Databases and Permissions Reply with quote

Do any DBMS' exist that have users integrated with the users of the host operating system? For instance... if I have a user with permissions to table X and not table Y...

The database user can tradiitionally exploit the database software to gain access to Y. However, if the instance of the database were run as a seperate user on the host operating system, they would not have access to table Y regardless of any malicious code that happens to run under their account (save for privledge escalation)

Also a helpful feature... do any databases offer row based access control? Example... if I have a table of user accounts... I wouldn't want DB users to be able to access the other rows in that table via sql injection or w/e.

I view these as more powerful access controls and would find value in them...

Thanks!
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Aug 16, 2007 5:24 am    Post subject: Reply with quote

Quote:
For instance... if I have a user with permissions to table X and not table Y..


I am probably not understanding your question, but the GRANTS command limits what users have access to which database or table.

Quote:
The database user can tradiitionally exploit the database software to gain access to Y
I am not sure what you mean by traditionally, but if you can't trust your users enough to give them raw access to the database, then they shouldn't have raw access anyway. Any software interfaces should have a means for sanitizing queries, and custom error handling so that error messages never make it back to the attacker.

Quote:
do any databases offer row based access control?
Not that I know of, and what would really be the point? If I needed to keep data from a single table separated for various users, I would simply create a VIEW for each one of them that contained only the information that they needed.

Quote:
via sql injection or w/e.


w/e? Confused
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter