Database Level Security - Design Specification

High-Level Design

The goal of this change is provide added security for backing up and restoring file through "gbak". Gbak functionality will be changed so that only the owner or "SYSDBA" will be able to do a back of a database. Further in case of replacing a database only the owner or "SYSDBA" will be able to overwrite the old database with a newly restored version.

High Level Algorithm

During a backup, get the username of the client running the backup, compare this with the owner of the database or root, if the username is different do not allow the backup. During restore, currently a check is made to confirm that a old database with the same name and path does not exist. If the file exists and the replace flag was not set we exit with an error. A new check has been added, the new check, checks the ownership of the database which is going to be overwritten. If the owner of the old database is same as the user performing the restore or the restore is being done by "SYSDBA" the restore is allowed. In other cases a error is returned to the user.

Detailed Design

Internal Data Structures

No new data structures have been added to implement this functionality. Detailed Algorithm

Function open_files() in burp.c has been modified to do the following test in case of restoring a database with a replace flag.

if (sw_replace == IN_SW_BURP_R && status_vector[1] == isc_gbak_not_owner)
/* if we got an error from attach database and we have replace switch set
 * then look for error from attach returned due to not owner, if we are
 * not owner then return the error status back up
BURP_error (274, 0, 0, 0, 0, 0);
/* msg # 274 : Cannot restore over current database, must be sysdba
 * or owner of the existing database.

Further function GDS_ATTACH_DATABASE() in jrd.c the following lines have been added, so that the error is returned back to gbak, on backup and restore.

 * if the attachment is through gbak and this the attachment is not by owner
 * or sysdba then return error. This has been added here to allow for the
 * GBAK security feature of only allowing the owner or sysdba to backup a
 * database. */

if ((attachment->att_flags & ATT_gbak_attachment) &&
!(attachment->att_user->usr_flags & (USR_locksmith | USR_owner)))
ERR_post (isc_gbak_not_owner, 0);

New/Affected Modules

File have been changed in jrd.c in the jrd component. Also burp.c has been changed in the burp component.