Thread: Protecting stored procedures
We want to protect the intellectual property of several of our stored procedures. If we put them in a separate schema in the database and only allow execute on anything in that schema would that protect our stored procedures?
Best Regards
Michael Gould, Managing Partner
Intermodal Software Solutions, LLC
Intermodal Software Solutions, LLC
904.226.0978
904.592.5250 fax
On 7 April 2011 14:46, Michael Gould <mgould@intermodalsoftwaresolutions.net> wrote:
We want to protect the intellectual property of several of our stored procedures. If we put them in a separate schema in the database and only allow execute on anything in that schema would that protect our stored procedures?
Protect them from who?
regards
Szymon
On Thu, Apr 07, 2011 at 07:46:36AM -0500, Michael Gould wrote: > We want to protect the intellectual property of several of our stored > procedures. If we put them in a separate schema in the database and only > allow execute on anything in that schema would that protect our stored > procedures? If your customer can have superuser access on the machine (which effectively means, "If your customer has control of the box,") then no, it won't. If you need to do this sort of thing, then you need to write the procedures in C and deliver only object code. Even that probably won't solve everything. A -- Andrew Sullivan ajs@crankycanuck.ca
On Apr 7, 2011, at 6:16 PM, Michael Gould wrote: > We want to protect the intellectual property of several of our stored procedures. If we put them in a separate schemain the database and only allow execute on anything in that schema would that protect our stored procedures? If use is normal user, then you can revoke the access of procedure from user. If you are thinking of keeping the code of stored procedure hidden from any user, then you can use PL_secure: http://www.enterprisedb.com/docs/en/8.4/plsecure/Postgres_Plus_Standard_Server_PL_Secure_PLpgSQL-09.htm#P134_8474 Thanks & Regards, Vibhor Kumar EnterpriseDB Corporation The Enterprise PostgreSQL Company vibhor.kumar@enterprisedb.com Blog:http://vibhork.blogspot.com
We wouldn't make any of the system users a superuser in Postgres and in my 20+ years experience in the industry we provide software for, the possibility of having any users of the system that are able to hack or even understand what they have if they were able to is slim. I understand that anything can be reverse engineered. I had a relationship with a Russian program several years ago that could take the compile C modules, reverse engineer them to assembler and then back to the original C code to find and report bugs. That being said I don't worry too much about those types. Best Regards Michael Gould "Andrew Sullivan" <ajs@crankycanuck.ca> wrote: > On Thu, Apr 07, 2011 at 07:46:36AM -0500, Michael Gould wrote: >> We want to protect the intellectual property of several of our stored >> procedures. If we put them in a separate schema in the database and only >> allow execute on anything in that schema would that protect our stored >> procedures? > > If your customer can have superuser access on the machine (which > effectively means, "If your customer has control of the box,") then > no, it won't. > > If you need to do this sort of thing, then you need to write the > procedures in C and deliver only object code. Even that probably > won't solve everything. > > A > > -- > Andrew Sullivan > ajs@crankycanuck.ca > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general >
On 04/07/2011 03:46 PM, Michael Gould wrote: > We want to protect the intellectual property of several of our stored > procedures. If we put them in a separate schema in the database and > only allow execute on anything in that schema would that protect our > stored procedures? > > Best Regards > It depends on what level you want to protect it and what rights the clients have on the machine. The short answer is that with physical access to a machine, a system administrator should be able to gain super user access to anything on the machine, including the databases.
On 04/07/11 7:31 AM, Michael Gould wrote: > We wouldn't make any of the system users a superuser in Postgres are you providing software run on a customers box, or a turnkey managed system (hardware+software) ? anyone who has root access can easily gain database access. anyone with physical access to the box and its console can gain root access. anyone with access to pg_dumpall backup files has access to your stored procedures, too.
On Thu, Apr 07, 2011 at 09:31:20AM -0500, Michael Gould wrote: > We wouldn't make any of the system users a superuser in Postgres and in my > 20+ years experience in the industry we provide software for, the > possibility of having any users of the system that are able to hack or even > understand what they have if they were able to is slim. So you aren't afraid your users are going to take this code, but you want to put (relatively meaningless) protection in place anyway? I guess maybe the security definer functions might help you. A -- Andrew Sullivan ajs@crankycanuck.ca
On Thu, 2011-04-07 at 12:45 -0400, Andrew Sullivan wrote: > On Thu, Apr 07, 2011 at 09:31:20AM -0500, Michael Gould wrote: > > We wouldn't make any of the system users a superuser in Postgres and in my > > 20+ years experience in the industry we provide software for, the > > possibility of having any users of the system that are able to hack or even > > understand what they have if they were able to is slim. > > So you aren't afraid your users are going to take this code, but you > want to put (relatively meaningless) protection in place anyway? > > I guess maybe the security definer functions might help you. As someone mentioned previously, there is also pl/secure. It certainly isn't perfect but it will deal with the low hanging fruit. Sincerely, Joshua D. Drake -- PostgreSQL.org Major Contributor Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579 Consulting, Training, Support, Custom Development, Engineering http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt
On Thu, Apr 7, 2011 at 6:46 AM, Michael Gould <mgould@intermodalsoftwaresolutions.net> wrote: > We want to protect the intellectual property of several of our stored > procedures. If we put them in a separate schema in the database and only > allow execute on anything in that schema would that protect our stored > procedures? Just want to point out that the problem you're trying to solve is one of licensing and legal contract, not software. No system is unhackable. Also, having a skilled user who can help you with troubleshooting being locked out of doing so does you no good in the long run. The very people you seek to protect your IP from are the ones who can help you the most with bug fixes and reporting.