• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Intriguing OleDB problem

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Originally posted by doodab View Post
    That's the point he's trying to make. Good security practice is to give the app the least privileges required to do what it needs to do i.e. give it permission to the oracle home directory. By choosing to impersonate another user you have, as a side effect, given it access to everything that user can access which probably includes lots and lots of other things that it doesn't need and probably shouldn't have access to. If the web app were to be exploited and an attacker able to run arbitrary code the range of things they could do is now significantly wider.
    Yep, know all of this. Accept all of this. Have clearance from above to do this.
    This is a prototype. It serves the purpose of demonstrating that it can be done, and can be done relatively cheaply.

    When we get the go ahead to develop this the security issue will be dealt with properly. For now, I just needed a fix to get the prototype working. To get the security permissions changed would require red tape, and this carries a time penalty the luxury of which we currently can ill afford.

    The impersonated user has access within the sandbox, and that's about it so the risk is minimal.

    I accept eeks comments as entirely valid, and have indicated this many times. The thing I don't accept is his tendancy to have a hissy fit at the slightest hint of a challenge to his suggestions.
    Knock first as I might be balancing my chakras.

    Comment


      #32
      Suity,

      You're not on my ignore list as I don't actually mind helping you out. I just hoped you might take the hint when I said do x, do x, do x while you rabbited on about other options.

      The main reason why I didn't say don't do Y its a bad idea is because you always want an explanation from elsewhere why and I couldn't provide that from the location I was sat in.
      merely at clientco for the entertainment

      Comment


        #33
        Originally posted by suityou01 View Post
        When we get the go ahead to develop this the security issue will be dealt with properly. For now, I just needed a fix to get the prototype working.

        Comment


          #34
          Originally posted by NickFitz View Post
          Oh don't you furkin start
          Knock first as I might be balancing my chakras.

          Comment


            #35
            Originally posted by eek View Post
            Suity,

            You're not on my ignore list as I don't actually mind helping you out. I just hoped you might take the hint when I said do x, do x, do x while you rabbited on about other options.

            The main reason why I didn't say don't do Y its a bad idea is because you always want an explanation from elsewhere why and I couldn't provide that from the location I was sat in.
            Apology accepted.

            Knock first as I might be balancing my chakras.

            Comment


              #36
              Originally posted by TheFaQQer View Post
              ignoreList

              Oh, the irony

              (And since user_name is case sensitive, the query would return no rows anyway)
              I was so hoping it would have a bug
              Originally posted by MaryPoppins
              I'd still not breastfeed a nazi
              Originally posted by vetran
              Urine is quite nourishing

              Comment


                #37
                Originally posted by suityou01 View Post
                This is a prototype. It serves the purpose of demonstrating that it can be done, and can be done in a slap dash manner that despite the best of intentions will end up in production because once you've built the prototype they won't be interested in paying for you to build it again.
                FTFY
                While you're waiting, read the free novel we sent you. It's a Spanish story about a guy named 'Manual.'

                Comment

                Working...
                X