What options for xHarbour Data Protection - xharbour

Hi francesco

here is my method. I am sending you readme.file included in the application.
Let me know if you need more explanations

Bye, Marco




This document show how to create a safe environment for your GESMAG-Linux.
Customers are connected via SSH terminal Putty or any other SSH terminal
emulator

This document consider that

a) your Linux-application is already installed and is in /home/gesmag
directory
b) the owner of the gesmag directory and all files in /home/gesmag
folder is
user "gesmag"
c) the program must not call a shell, or must not call programs that
can call a
sheel (like some editor)

If you have different configuration change accordingly the follow
instructions

Introduction.
If all users can access GESMAG via SSH with user "gesmag", they can be in
position to
make any action on the database. In fact they can activate their SSH session
passing command
like "/bin/bash -norc" that will allow them to access a shell into
/home/gesmag folder and therefore, copy or delete files. This must be
avoided !!!


0) login as "root"

1) create a new user "gesmagsafe", this will create a new folder
/home/gesmagsafe. The users must not to know the password of "gesmag", but
only the password for user "gesmagsafe". They must work on GESMAG-Linux
using "gesmagsafe"

useradd gesmagsafe
passwd gesmagsafe

GESMAG administrator instead will use "gesmag"

2) Change or check that permissions for /home/gesmag directory is

drwx------

or change it as follow

chmod 700 /home/gesmag

now only user gesmag can access the folder /home/gesmag

change attributes for /home/gesmagsafe as follow

chmod 710 /home/gesmagsafe
chown gesmag /home/gesmagsafe
chgrp gesmagsafe /home/gesmagsafe

now gesmag can enter, add and modify file in /home/gesmagsafe
gesmagsafe can ony enter in the directory and execute files
gesmagsafe cannot create new file or delete file

3) create the file startgesmag.sh into directory /home/gesmagsafe

vi startgesmag.sh

cd /home/gesmag
export SHELL=/bin/bash
./go.bat
cd /home/gesmagsafe

save the file and change attribute as follow

chmod 700 /home/gesmagsafe/startgesmag.sh
chown gesmag /home/gesmagsafe/startgesmag.sh
chgrp gesmag /home/gesmagsafe/startgesmag.sh

this script cannot be changed/read/executed by user gesmagsafe

4) How to give permission to "gesmagsafe" to use gesmag.
You need to use SUDO, that usually is already installed on Linux: try to
type sudo <enter> in order to verify it. If sudo is not installed, you have
to install it first.
Now edit sudoers file

visudo

and add following line

gesmagsafe localhost= (gesmag) NOPASSWD:
/home/gesmagsafe/startgesmag.sh

this line allow the user gesmagsafe to run the script
/home/gesmagsafe/startgesmag.sh like
gesmag. If user "gesmagsafe" is able to obtain a shell access to your
Linux
server, he/she can only run startgesmag.sh but he/she cannot access
folder
/home/gesmag in any other way.

5) in order to give immediately access to gesmag for the users, you can add
to
/home/gesmagsafe/.bashrc the line

sudo -u gesmag ./startgesmag.sh
exit

or in many Linux distribution (Slackware) you can create a file like
/home/gesmagsafe/go and write inside

sudo -u gesmag ./startgesmag.sh

Now you can define /home/gesmagsafe/go like default shell for the user
gesmagsafe (edit password file with vipw and change default shell)


6) You can also filter users access based on IP changing startgesmag.sh
as follow

cd /home/gesmag
export SHELL=/bin/bash
who -m | grep ".local.lan" (check local lan, check of local
domain)
if [ ! $? = 0 ]; then
who -m | grep "192.168.1." (check local IP address)
if [ ! $? = 0 ]; then
echo "ACCESS NOT AUTHORIZED"
sleep 3
exit
fi
fi
./go.bat
cd /home/gesmasafe















"FP" <mc8647__nnoossppaamm@mclink.it> ha scritto nel messaggio
news:figg9i$f35$1@newsreader2.mclink.it...
> Hi Marco,
> you mean that you put the executable in /etc/passwd instead of the shell ?
>
> Can you better specify your method ?
>
> Thanks,
> Francesco
>
>> In Linux (Unix like OS) you can give access to the users only to your
>> executable, while no-users can directly access dbf files.
>> I have created several application, making them available via internet
>> via SSH terminal Putty, without risk.
>> In Linux you can create one user that can access directory where database
>> is (Administrator.. you) and other users that can just run a program (the
>> program can be in the same directory).

Hi David,
>
> A couple more questions / suggestions...
> 1) How many programs need to access the data, and how is the data
> updated between programs? (x)Harbour uses a single common
> repository. You make it sound like you don't need this.
>
Anando: Just my program. What is "single common repository"?

> 2) Have you heard of this:
> http://free-backup.info/x-drive-and-...et-backup.html
> If they have internet access, they can always have this information
> refreshed. Lots of potential solutions along this line... I'd bet
> that you could code the "connection" so that there is NO local data
> store for them to tweak, because your program has the only password to
> make the connection.
>
Anando: A few do have internet connection, but most don't. Not an option for
this particular instance.

> 3) along the lines of the Linux solution, you might look into
> something like:
> http://www.password-protect-software.com/
> ... see if they have a solution that will let the entire directory be
> backed up, but only provide read-write access to the data via an API
> of some sort.
>
Anando: Linux is not acceptable at this point of time.

Thanks.

Anybody know what's the cost of Advantage Database Server for Windows
International Version? I can't find it on iAnywhere or Sybase sites.
Thanks.
Anando.

Thanks Marco, but this is not an option for me at this point of time, since
my users are all
Windows oriented.
Anando.


"marco bernardi" <bernx@tin.it> wrote in message
news:474b1998$0$1348$834e42db@reader.greatnowhere.com...
> Hi Anando,
> in order to crete a strong, very secure, fast, chip, "easy to access via
> internet" database system using xHarbour you have to move to Linux.
> I have done it and I have easily reached what you are searching for.
> In Linux (Unix like OS) you can give access to the users only to your
> executable, while no-users can directly access dbf files.
> I have created several application, making them available via internet via
> SSH terminal Putty, without risk.
> In Linux you can create one user that can access directory where database
> is (Administrator.. you) and other users that can just run a program (the
> program can be in the same directory).
> In windows you have sure to use some complex DATABASE Engine and probably
> re-write part of the program. Furthermore performance remain slower that a
> Linux application.
> Manage such application in internet (remote users) became also quite
> difficult.
>
> Regards, Marco.
>

SQLite sounds interesting. They are supposed to have a [x]Harbour wrapper at
http://www.geocities.com/SiliconVall...bsqlite_en.htm
mentioned on http://www.sqlite.org/cvstrac/wiki?p=SqliteWrappers, but the
link doesn't work. However, I did find a rar file at
http://www4.zzz.com.tw/phpbb2/viewtopic.php?t=38.

Anyway, what would be the steps that I would have to follow?
1. Download SQLite.
2. Compile the binaries.
3. Then ... ?
4. Then ... ?
.... or something totally different?

As you can see, I'm entering new territories and getting horribly confused
with servers and clients and processes and user rights and ... and ... After
years of Clipper's and (now xHarbour's) ease of use, I need all the guidance
I can get.
Thanks.
Anando.



"Gejza Horvath" <_hsoftkn@nextra.sk> wrote in message
news:5r00o2F11q7buU1@mid.individual.net...
> Anando,
>
> maybe the SQLite (zero configuration) is the best choice for you. Xailer
> has a separate
> class for native support this database. You need nothing else to install,
> only your exe.
>
> From the official site www.sqlite.org:
>
> Unlike most other SQL databases, SQLite does not have a separate server
> process. SQLite
> reads and writes directly to ordinary disk files.
>
>
> Regards,
>
> Gejza Horváth
>

Hi Anando,
also my users !
no user is working with Linux workstation... just server.
The users also are using the Linux server like a Windows server (Samba) for
some other application...

Marco

"Anando" <anando63@yahoo.co.in> ha scritto nel messaggio
news:474c7a45$0$1348$834e42db@reader.greatnowhere.com...
> Thanks Marco, but this is not an option for me at this point of time,
> since my users are all
> Windows oriented.
> Anando.
>
>
> "marco bernardi" <bernx@tin.it> wrote in message
> news:474b1998$0$1348$834e42db@reader.greatnowhere.com...
>> Hi Anando,
>> in order to crete a strong, very secure, fast, chip, "easy to access via
>> internet" database system using xHarbour you have to move to Linux.
>> I have done it and I have easily reached what you are searching for.
>> In Linux (Unix like OS) you can give access to the users only to your
>> executable, while no-users can directly access dbf files.
>> I have created several application, making them available via internet
>> via
>> SSH terminal Putty, without risk.
>> In Linux you can create one user that can access directory where database
>> is (Administrator.. you) and other users that can just run a program (the
>> program can be in the same directory).
>> In windows you have sure to use some complex DATABASE Engine and probably
>> re-write part of the program. Furthermore performance remain slower that
>> a
>> Linux application.
>> Manage such application in internet (remote users) became also quite
>> difficult.
>>
>> Regards, Marco.
>>
>
>

Dear Anando:

"Anando" <anando63@yahoo.co.in> wrote in message
news:474c79fe$0$1348$834e42db@reader.greatnowhere.com...
>
> Hi David,
>>
>> A couple more questions / suggestions...
>> 1) How many programs need to access the data,
>> and how is the data updated between programs?
>> (x)Harbour uses a single common repository. You
>> make it sound like you don't need this.
>>
> Anando: Just my program. What is "single common
> repository"?

You talk about multiple users, which is confusing me.
A single common repository would be a dbf (or set of dbfs) on a
file server, and all users get information from, and store
information to this single (set of) file(s).

>> 2) Have you heard of this:
>> http://free-backup.info/x-drive-and-...et-backup.html
>> If they have internet access, they can always have this
>> information refreshed. Lots of potential solutions along
>> this line... I'd bet that you could code the "connection"
>> so that there is NO local data store for them to tweak,
>> because your program has the only password to make
>> the connection.
>
> Anando: A few do have internet connection, but most
> don't. Not an option for this particular instance.

<sound of fingers snapping>

>> 3) along the lines of the Linux solution, you might
>> look into something like:
>> http://www.password-protect-software.com/
>> ... see if they have a solution that will let the entire
>> directory be backed up, but only provide read-write
>> access to the data via an API of some sort.
>
> Anando: Linux is not acceptable at this point of time.

Look again. It provides (apparently) Linux-like behavior... in
WindDoze.

David A. Smith

Dear Anando:

"Anando" <anando63@yahoo.co.in> wrote in message
news:474c7e93$0$1346$834e42db@reader.greatnowhere.com...
> SQLite sounds interesting.

There are more ways of accessing SQL, and more people that can
tweak SQL, than there are that can do dbfs. I only think you are
making it hard on *you*.

David A. Smith

U¿ytkownik "Anando" <anando63@yahoo.co.in> napisa³ w wiadomoœci
news:474c7e93$0$1346$834e42db@reader.greatnowhere.com...
> SQLite sounds interesting. They are supposed to have a [x]Harbour wrapper
> at
> http://www.geocities.com/SiliconVall...bsqlite_en.htm
> mentioned on http://www.sqlite.org/cvstrac/wiki?p=SqliteWrappers, but the
> link doesn't work. However, I did find a rar file at
> http://www4.zzz.com.tw/phpbb2/viewtopic.php?t=38.
>
> Anyway, what would be the steps that I would have to follow?
> 1. Download SQLite.
> 2. Compile the binaries.
> 3. Then ... ?
> 4. Then ... ?
> ... or something totally different?

Anando, are you yet try dbInfo( DBI_PASSWORD [,<cPassword>]) :

DBI_PASSWORD [<cPassword>] --> NIL
This setting defines a password of up to eight characters in length which is
used for data encryption in the database file. Note that only data in a DBF
file is encrypted. Data stored in index and/or memo files are not encrypted
with the password.

Regards,
Marek Horodyski