1<?xml version="1.0" encoding="UTF-8" standalone="no"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml"> 4 <head> 5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 6 <title>Security</title> 7 <link rel="stylesheet" href="gettingStarted.css" type="text/css" /> 8 <meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /> 9 <link rel="start" href="index.html" title="Berkeley DB Programmer's Reference Guide" /> 10 <link rel="up" href="env.html" title="Chapter��9.�� The Berkeley DB Environment" /> 11 <link rel="prev" href="env_region.html" title="Shared memory regions" /> 12 <link rel="next" href="env_encrypt.html" title="Encryption" /> 13 </head> 14 <body> 15 <div class="navheader"> 16 <table width="100%" summary="Navigation header"> 17 <tr> 18 <th colspan="3" align="center">Security</th> 19 </tr> 20 <tr> 21 <td width="20%" align="left"><a accesskey="p" href="env_region.html">Prev</a>��</td> 22 <th width="60%" align="center">Chapter��9.�� 23 The Berkeley DB Environment 24 </th> 25 <td width="20%" align="right">��<a accesskey="n" href="env_encrypt.html">Next</a></td> 26 </tr> 27 </table> 28 <hr /> 29 </div> 30 <div class="sect1" lang="en" xml:lang="en"> 31 <div class="titlepage"> 32 <div> 33 <div> 34 <h2 class="title" style="clear: both"><a id="env_security"></a>Security</h2> 35 </div> 36 </div> 37 </div> 38 <p>The following are security issues that should be considered when writing 39Berkeley DB applications:</p> 40 <div class="variablelist"> 41 <dl> 42 <dt> 43 <span class="term">Database environment permissions</span> 44 </dt> 45 <dd>The directory used as the Berkeley DB database environment should have its 46permissions set to ensure that files in the environment are not accessible 47to users without appropriate permissions. Applications that add to the 48user's permissions (for example, UNIX setuid or setgid applications), 49must be carefully checked to not permit illegal use of those permissions 50such as general file access in the environment directory.</dd> 51 <dt> 52 <span class="term">Environment variables</span> 53 </dt> 54 <dd>Setting the <a href="../api_reference/C/envopen.html#envopen_DB_USE_ENVIRON" class="olink">DB_USE_ENVIRON</a> 55and <a href="../api_reference/C/envopen.html#envopen_DB_USE_ENVIRON_ROOT" class="olink">DB_USE_ENVIRON_ROOT</a> flags 56and allowing the use of environment variables during file naming can be 57dangerous. Setting those flags in Berkeley DB applications with additional 58permissions (for example, UNIX setuid or setgid applications) could 59potentially allow users to read and write databases to which they would 60not normally have access.</dd> 61 <dt> 62 <span class="term">File permissions</span> 63 </dt> 64 <dd>By default, Berkeley DB always creates files readable and writable by the owner 65and the group (that is, S_IRUSR, S_IWUSR, S_IRGRP and S_IWGRP; or octal mode 660660 on historic UNIX systems). The group ownership of created files is 67based on the system and directory defaults, and is not further specified 68by Berkeley DB.</dd> 69 <dt> 70 <span class="term">Temporary backing files</span> 71 </dt> 72 <dd>If an unnamed database is created and the cache is too small to hold 73the database in memory, Berkeley DB will create a temporary physical file to 74enable it to page the database to disk as needed. In this case, 75environment variables such as <span class="bold"><strong>TMPDIR</strong></span> may be used to specify 76the location of that temporary file. Although temporary backing files 77are created readable and writable by the owner only (S_IRUSR and 78S_IWUSR, or octal mode 0600 on historic UNIX systems), some filesystems 79may not sufficiently protect temporary files created in random 80directories from improper access. To be absolutely safe, applications 81storing sensitive data in unnamed databases should use the 82<a href="../api_reference/C/envset_tmp_dir.html" class="olink">DB_ENV->set_tmp_dir()</a> method to specify a temporary directory with 83known permissions.</dd> 84 <dt> 85 <span class="term">Tcl API</span> 86 </dt> 87 <dd>The Berkeley DB Tcl API does not attempt to avoid evaluating input as Tcl 88commands. For this reason, it may be dangerous to pass unreviewed user 89input through the Berkeley DB Tcl API, as the input may subsequently be 90evaluated as a Tcl command. Additionally, the Berkeley DB Tcl API 91initialization routine resets process' effective user and group IDs to 92the real user and group IDs, to minimize the effectiveness of a Tcl 93injection attack.</dd> 94 </dl> 95 </div> 96 </div> 97 <div class="navfooter"> 98 <hr /> 99 <table width="100%" summary="Navigation footer"> 100 <tr> 101 <td width="40%" align="left"><a accesskey="p" href="env_region.html">Prev</a>��</td> 102 <td width="20%" align="center"> 103 <a accesskey="u" href="env.html">Up</a> 104 </td> 105 <td width="40%" align="right">��<a accesskey="n" href="env_encrypt.html">Next</a></td> 106 </tr> 107 <tr> 108 <td width="40%" align="left" valign="top">Shared memory regions��</td> 109 <td width="20%" align="center"> 110 <a accesskey="h" href="index.html">Home</a> 111 </td> 112 <td width="40%" align="right" valign="top">��Encryption</td> 113 </tr> 114 </table> 115 </div> 116 </body> 117</html> 118