Thread: Protecting stored procedures

Protecting stored procedures

From
Michael Gould
Date:

We want to protect the intellectual property of several of our stored procedures.  If we put them in a separate schema in the database and only allow execute on anything in that schema would that protect our stored procedures?

 

Best Regards

 

 


Michael Gould, Managing Partner
Intermodal Software Solutions, LLC
904.226.0978
904.592.5250 fax

Re: Protecting stored procedures

From
Szymon Guz
Date:
On 7 April 2011 14:46, Michael Gould <mgould@intermodalsoftwaresolutions.net> wrote:

We want to protect the intellectual property of several of our stored procedures.  If we put them in a separate schema in the database and only allow execute on anything in that schema would that protect our stored procedures?



Protect them from who?

regards
Szymon 

Re: Protecting stored procedures

From
Andrew Sullivan
Date:
On Thu, Apr 07, 2011 at 07:46:36AM -0500, Michael Gould wrote:
> We want to protect the intellectual property of several of our stored
> procedures.  If we put them in a separate schema in the database and only
> allow execute on anything in that schema would that protect our stored
> procedures?

If your customer can have superuser access on the machine (which
effectively means, "If your customer has control of the box,") then
no, it won't.

If you need to do this sort of thing, then you need to write the
procedures in C and deliver only object code.  Even that probably
won't solve everything.

A

--
Andrew Sullivan
ajs@crankycanuck.ca

Re: Protecting stored procedures

From
Vibhor Kumar
Date:
On Apr 7, 2011, at 6:16 PM, Michael Gould wrote:

> We want to protect the intellectual property of several of our stored procedures.  If we put them in a separate
schemain the database and only allow execute on anything in that schema would that protect our stored procedures? 

If use is normal user, then you can revoke the access of procedure from user.
If you are thinking of keeping the code of stored procedure hidden from any user, then you can use PL_secure:
http://www.enterprisedb.com/docs/en/8.4/plsecure/Postgres_Plus_Standard_Server_PL_Secure_PLpgSQL-09.htm#P134_8474

Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor.kumar@enterprisedb.com
Blog:http://vibhork.blogspot.com


Re: Protecting stored procedures

From
Michael Gould
Date:
We wouldn't make any of the system users a superuser in Postgres and in my
20+ years experience in the industry we provide software for, the
possibility of having any users of the system that are able to hack or even
understand what they have if they were able to is slim.  I understand that
anything can be reverse engineered.  I had a relationship with a Russian
program several years ago that could take the compile C modules, reverse
engineer them to assembler and then back to the original C code to find and
report bugs.  That being said I don't worry too much about those types.

Best Regards

Michael Gould


"Andrew Sullivan" <ajs@crankycanuck.ca> wrote:
> On Thu, Apr 07, 2011 at 07:46:36AM -0500, Michael Gould wrote:
>> We want to protect the intellectual property of several of our stored
>> procedures.  If we put them in a separate schema in the database and only
>> allow execute on anything in that schema would that protect our stored
>> procedures?
>
> If your customer can have superuser access on the machine (which
> effectively means, "If your customer has control of the box,") then
> no, it won't.
>
> If you need to do this sort of thing, then you need to write the
> procedures in C and deliver only object code.  Even that probably
> won't solve everything.
>
> A
>
> --
> Andrew Sullivan
> ajs@crankycanuck.ca
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>



Re: Protecting stored procedures

From
Sim Zacks
Date:
On 04/07/2011 03:46 PM, Michael Gould wrote:

> We want to protect the intellectual property of several of our stored
> procedures.  If we put them in a separate schema in the database and
> only allow execute on anything in that schema would that protect our
> stored procedures?
>
> Best Regards
>
It depends on what level you want to protect it and what rights the
clients have on the machine.


The short answer is that with physical access to a machine, a system
administrator should be able to gain super user access to anything on
the machine, including the databases.


Re: Protecting stored procedures

From
John R Pierce
Date:
On 04/07/11 7:31 AM, Michael Gould wrote:
> We wouldn't make any of the system users a superuser in Postgres


are you providing software run on a customers box, or a turnkey managed
system (hardware+software) ?

anyone who has root access can easily gain database access.  anyone with
physical access to the box and its console can gain root access.
anyone with access to pg_dumpall backup files has access to your stored
procedures, too.



Re: Protecting stored procedures

From
Andrew Sullivan
Date:
On Thu, Apr 07, 2011 at 09:31:20AM -0500, Michael Gould wrote:
> We wouldn't make any of the system users a superuser in Postgres and in my
> 20+ years experience in the industry we provide software for, the
> possibility of having any users of the system that are able to hack or even
> understand what they have if they were able to is slim.

So you aren't afraid your users are going to take this code, but you
want to put (relatively meaningless) protection in place anyway?

I guess maybe the security definer functions might help you.

A


--
Andrew Sullivan
ajs@crankycanuck.ca

Re: Protecting stored procedures

From
"Joshua D. Drake"
Date:
On Thu, 2011-04-07 at 12:45 -0400, Andrew Sullivan wrote:
> On Thu, Apr 07, 2011 at 09:31:20AM -0500, Michael Gould wrote:
> > We wouldn't make any of the system users a superuser in Postgres and in my
> > 20+ years experience in the industry we provide software for, the
> > possibility of having any users of the system that are able to hack or even
> > understand what they have if they were able to is slim.
>
> So you aren't afraid your users are going to take this code, but you
> want to put (relatively meaningless) protection in place anyway?
>
> I guess maybe the security definer functions might help you.

As someone mentioned previously, there is also pl/secure. It certainly
isn't perfect but it will deal with the low hanging fruit.

Sincerely,

Joshua D. Drake


--
PostgreSQL.org Major Contributor
Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579
Consulting, Training, Support, Custom Development, Engineering
http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt


Re: Protecting stored procedures

From
Scott Marlowe
Date:
On Thu, Apr 7, 2011 at 6:46 AM, Michael Gould
<mgould@intermodalsoftwaresolutions.net> wrote:
> We want to protect the intellectual property of several of our stored
> procedures.  If we put them in a separate schema in the database and only
> allow execute on anything in that schema would that protect our stored
> procedures?

Just want to point out that the problem you're trying to solve is one
of licensing and legal contract, not software.  No system is
unhackable.  Also, having a skilled user who can help you with
troubleshooting being locked out of doing so does you no good in the
long run.  The very people you seek to protect your IP from are the
ones who can help you the most with bug fixes and reporting.