manatt@lll-winken.ARPA (Doug Manatt) (09/04/87)
Relational Technology Inc.'s RDBMS and 4GL "Ingres" has a security problem. It turns out that the tables that the system uses to store user's objects (Forms, Graphs, Applications, Reports, JoinDefs), called "Front-end system tables" by RTI, can be changed, appended to, and deleted from by any user of the database. This means that anyone with access to a database can destroy or change anothers work. There is a work-around though. You can have only one user per database, thus maintaining the security of that users work...well, so much for the ability to share data! Doug Manatt
angel@brl-adm.ARPA (Rick Angelini <angel>) (09/08/87)
------------------------------------------ In response to .... To: manatt@lll-winken.ARPA Subject: Re: Security hole in RTI ingres Newsgroups: comp.databases ------------------------------------------- As a user in your Ingres database, I may access a form which you created, and modify that form. However, I will *not* overwrite your original copy of that form. I will have my own personal copy of the form, (it could even have the same name as your form), but I'm the only one who can access _my_ form. The form created by the DB owner is the globally accessible one. I haven't heard of a user (other than the DB owner) being able to run amuck and modify/destroy forms, reports, graphs, etc which that individual user did not own. Of course, the DBA may at any time clean up his database by removing the offending tables, forms, graphs, etc. As a valid user in your database, I can even make my own tables with table names the same as yours. However, my tables are MY tables, and your tables are the globally accessible tables.