Security - what security?
- From: mweallans@xxxxxxxxxxxxx
- Date: 11 Aug 2005 05:15:26 -0700
I've been doing some investigation into a little problem with
privileges. And this is what I have found.
If you want to access an Informix database via ODBC and your normal
login and password are restricted then set up your odbc connection with
no user name and password and you can do anything.
This is what I did to prove it.
1. I created a new database called security.
2. I added two tables - opentab and securetab
3. I revoked all permissions on securetab from public
4. I granted connect to public.
5. From MS-Access I set up a new database
6. I used "link-tables" to add a new odbc connection with no username
or password, and to link both tables.
7. I could SELECT, INSERT, UPDATE, and DELETE from both tables.
8. I then deleted both tables from my access database. and used control
panel to remove the odbc connection.
9. I then repeated steps 5-7 but with a valid username and password.
10. I couldn't access the securetab.
So, using a username and password is secure but not using a username
and password gives full access.
Can anybody spot anything wrong in my reasoning?
BTW I have done this on IDS 9.4, running on AIX 5.2, and I was running
Windows XP with MS-Access 2002 SP3, and Informix-Client SDK version
2.81
regards
Malcolm
.
- Follow-Ups:
- Re: Security - what security?
- From: Fernando Nunes
- Re: Security - what security?
- Prev by Date: Re: Need help to empty data in chunk before drop it.
- Next by Date: RE: Config for OLTP system
- Previous by thread: IDS 9.3 on Linux opening 2 database licenses at a time
- Next by thread: Re: Security - what security?
- Index(es):
Relevant Pages
|
