some more readme's

2025-01-22 20:43:02 +01:00 · 2003-06-22 12:37:13 +00:00 · 2003-06-22 12:37:13 +00:00 · 23fd7d54b5
commit 23fd7d54b5
parent 1f37184f5a
2 changed files with 131 additions and 0 deletions
--- a/doc/README.NTSecurity
+++ b/doc/README.NTSecurity
@ -0,0 +1,52 @@
 Issue: 
 ======
 If the LocalSystem user is allowed to install the Firebird Service,
 it could make the whole system accessible to a malicious attacker.  
 Scope:
 ======
 Affects Windows NT platforms.
 Document author:
 =================
 Alex Peshkov (pes@insi.yaroslavl.ru)
 Document date:  2003/06/22
 ==============
 Firebird installation kits for Windows NT systems, i.e. those that
 support services, currently provide a route into the host system 
 for any hacker who finds a new security hole in Firebird.  All of 
 the current kits install the Firebird service to run under the 
 LocalSystem account. Through Firebird, the attacker can get 
 LocalSystem access to the system.
 The steps to fix things manually are simple:
 1)  add the user 'firebird' as a member of the Domain users group,  
    with default rights
 2)  grant this user write access to all databases, including 
    security.fdb (isc4.gdb in pre-1.5 versions), and the 
    firebird.log file
 3)  grant the user 'firebird' rights to "Login as service" 
 4)  make the Firebird services (FirebirdServer and FirebirdGuardian,
    if used, log in with username 'firebird'
 Solution:
 =========
 Alex Peshkov
 People writing installers should note that Firebird's standard routine 
 to install and manage the Firebird Service on WinNT/2000/XP platforms 
 (instsvc.exe) was upgraded in version 1.5 by the addition of an
 optional L[ogin] switch to the {install} command.  It is strongly
 recommended that you employ this switch in the Windows kits, to make
 the 'firebird' user, not LocalSystem, the default account under which
 the Firebird Service logs in.
 For more details, see the document README.instsvc
 switch to (see instsvc.exe).
--- a/doc/README.instsvc
+++ b/doc/README.instsvc
@ -0,0 +1,79 @@
 README to instsvc.exe
 ----------------------
 Author:   Alex Peshkov (pes@insi.yaroslavl.ru)
 Firebird provides a standard routine to manage the Firebird Service
 on WinNT/2000/XP platforms - instsvc.exe.
 NOTE  Most of the instsvc switches are self-explanatory. 
       The only obscure one - the -z switch - causes 
       instsvc.exe to print the Firebird software version 
       as the first line of output.
 To install the Firebird service on your box:
 instsvc {install Firebird_directory [-auto | -demand] [-superserver | -classic]} 
  [-g[uardian]] [-l[ogin] username [password]] [-z]
 To remove the service:
 instsvc {remove} [-g[uardian]] [-z]
 To set the priority of the server process next time it is installed 
 (see also the reimplemented ProcessPriorityLevel parameter in 
 firebird.conf):
 instsvc {configure [-boostpriority | -regularpriority]} [-z]
 To start the Firebird service with altered process priority:
 instsvc {start [-boostpriority | -regularpriority] } [-z]
 To stop the Firebird service:
 instsvc {stop} [-z]
    To enhance Firebird security, the service management program 
 has been modified to accept a login switch, to optionally 
 pre-empt the LocalSystem user from being, by default, the user 
 under which the Firebird service logs in. 
 NOTE  Regular user login is not compatible with the local access 
       protocol, which relies on SERVICE_INTERACTIVE_PROCESS mode 
       ("Allow service to interact with Desktop").  For this reason, 
       unfortunately, the local access protocol remains a source of 
       vulnerability.
    If the -[L] switch is not present, instsvc.exe proceeds as 
 before, logging in the service using the LocalSystem profile.
    The switch [-Login username [password]] allows the Firebird 
 service to log in as a real user instead of the LocalSystem user.
 When instsvc.exe detects this switch, it looks for two arguments, 
 username and password.
    If a username is present, it proceeds to check the next string.
 If the first character is not a '-' (minus sign), it interprets the 
 string as a password.  Thus, the password should not begin with '-'. 
    If the username and password do not resolve to a valid domain 
 user, or one or both are missing, the usual NT built-in checking takes 
 over and any error will be due to a validation failure of the 
 domain\user string that is resolved from the input.
    The user username needs to have privileges to log in as a service, 
 as well as read/write access to all databases and the firebird.log file.
 For security reasons, write access to firebird.conf and Firebird 
 executables should NOT be given.
    Use of the -L switch disables the use of local protocol, so the 
 system administrator must choose between increased security and the 
 ability to use the local database access protocol. For production servers 
 that need to run in potentially aggressive environments, the -L switch is 
 strongly recommended.
 NOTE  A reworking of windows local access - a relic of its original 
       implementation back in Windows 3.11 - is overdue and is scheduled 
       for a release beyond Firebird 1.5.  Amongst other changes, it 
       will be made compatible with the -l[ogin] switch in instsvc.exe.