On 6/28/26 21:05, Vlad Khorsun wrote:
>>> Second, it is wrong way to detect **remote** access by presence of
>>> dpb_auth_block, imho.
>>> I see no guarantee that empty dpb_auth_block means embedded access.
>>> In any case it is not related things.
>>
>> Here I do not agree with you. To be precise - not empty but missing.
>> Yes, someone can add dpb_auth_block when performing embedded access -
>> but IMHO that's not our problem :)
>
> So, should we document that embedded connection **must** not perform
> any kind of user auth ?
Document what? Currently it just can not perform such authentication and
does not do it. That was documented in FB3 relnotes (no need to provide
password for embedded connection). Do not forget that as long as user
has OS access to target database any attempt to seriously limit SQL
access to them is pure security through obscurity.
> Could you guarantee this will not be changed by us in the future - for
> some new functionality ?
> Sorry, it doesn't sounds right to me.
>
From security POV embedded connection first of all means that all
access rights are based on OS user name (or one specified explicitly
when attaching). If we add some authentication to it (makes no sense
with known to me OSes but who knows what may change in the future) such
connection starts to play by server security rules. And should not be
treated as embedded when dealing with it.
Well, certainly we can't guess what may happen. But that's not a reason
to stop playing current real rules.
>> On the other hand any remote (connected using remote server)
>> attachment always has dpb_auth_block. Without creation of it by
>> server one can not attach. I.e. it's tightly related things.
>
> What about nested ES calls ? Something like:
>
> App
> connect inet://server/user_database
> call ES on 'user_database' -- embedded
> call ES on 'security.db' -- embedded
>
No matter how long chain of embedded connections is in use - auth block
will be present at all levels.
>
>>> Next, I'm pretty sure we must allow any kind of **direct** access
>>> from local host - i.e. using
>>> any network protocol. By **direct** access I mean explicit connect
>>> from user application, i.e.
>>> without intermediary as ES.
>>>
>>> Before this change xnet://security.db was allowed and now it is not.
>>> inet://security.db was not allowed and I consider it as a wrong thing.
>>>
>>> The setting RemoteAccess was introduced to control access to the
>>> database from non-local hosts.
>>> And its implementation always was a bit not correct, now it is even
>>> more wrong.
>>
>> OK, we can enable local connection by using any protocol. But do we
>> have reliable way to distinguish it from ESOE one? Check PID in DPB?
>> Will not work for classic.
>
> ES could pass in DPB anything required for our goal - such as
> properties (host, username, etc)
> of original user connection.
>
Yes that should be enough to have smart logic when deciding is
connection local enough or not. I specially use this "local enough"
cause looks like devel list does not have common understanding where is
the boarder between local and remote.