Databases and Permissions

Networking/Security Forums -> Databases

Author: d34dl0k1 PostPosted: Mon Jun 04, 2007 11:58 pm    Post subject: Databases and Permissions
    ----
Do any DBMS' exist that have users integrated with the users of the host operating system? For instance... if I have a user with permissions to table X and not table Y...

The database user can tradiitionally exploit the database software to gain access to Y. However, if the instance of the database were run as a seperate user on the host operating system, they would not have access to table Y regardless of any malicious code that happens to run under their account (save for privledge escalation)

Also a helpful feature... do any databases offer row based access control? Example... if I have a table of user accounts... I wouldn't want DB users to be able to access the other rows in that table via sql injection or w/e.

I view these as more powerful access controls and would find value in them...

Thanks!

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Aug 16, 2007 5:24 am    Post subject:
    ----
Quote:
For instance... if I have a user with permissions to table X and not table Y..


I am probably not understanding your question, but the GRANTS command limits what users have access to which database or table.

Quote:
The database user can tradiitionally exploit the database software to gain access to Y
I am not sure what you mean by traditionally, but if you can't trust your users enough to give them raw access to the database, then they shouldn't have raw access anyway. Any software interfaces should have a means for sanitizing queries, and custom error handling so that error messages never make it back to the attacker.

Quote:
do any databases offer row based access control?
Not that I know of, and what would really be the point? If I needed to keep data from a single table separated for various users, I would simply create a VIEW for each one of them that contained only the information that they needed.

Quote:
via sql injection or w/e.


w/e? Confused



Networking/Security Forums -> Databases


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group