tags:

views:

38

answers:

4
+4  Q: 

Safe read-only sqlite3 database

I want to give my website users arbitrary read-only access to an SQLite3 database, without letting them write to the database or do any other damage. How?

Making the db file read-only helps a little, but commands like "ATTACH", ".load" and ".output" allow people to read/write other files, which may not be protected.

Of course, if I knew all such commands, I'd just filter against them, but I'm mostly worried about commands I haven't thought of.

I tried briefly to alter sqlite3's source code to disallow writes, but this is harder than it looks: even the SELECT statement appears to do some internal INSERTS/etc.

Note: I've considered DOS attacks, and will ulimit cputime to 5s or something. My main concern is damage to files/"hacking", not DOS.

chroot() may work, but seems extreme.

Thoughts?

A: 

Try making the sqlite database file read only.

If you need to update it:

1)block read access from users.

2)give it a write bit.

3)make your modifications.

4)then remove the write bit. 

5)Restore user access.

If you don't do this, then it would be a race condition vulnerability.

Rook  2010-09-17 19:33:21
No. SQLite3 commands like ATTACH can access other files. Not worried about race condition, since SQLite3 has locking.
barrycarter  2010-09-28 22:40:09
@user354134 Yes race conditions are still a **very large** issue in the scenario I described. If you are are locking the file on the file system, there is a gap when the file is unlocked and you aren't accessing it with sqlite. But you are right about attach, i'm not sure a good way to handle that without trying to parse the query.
Rook  2010-09-28 23:20:48
+1  A: 

Of course, if I knew all such commands, I'd just filter against them, but I'm mostly worried about commands I haven't thought of.

Have you considered using a whitelist instead of a blacklist? Only allow statements that start with SELECT or EXPLAIN.

dan04  2010-09-17 19:36:58
sqllite allows for query stacking...
Rook  2010-09-17 19:37:38
Yes, but *you* don't have to allow it. Instead of sqlite3_exec, use prepared statements, which execute only one statement at a time.
dan04  2010-09-17 19:43:00
@dan04 A user writing queries is the exact opposite of prepared statements.
Rook  2010-09-17 21:01:45
I think I'm OK w/o multiple queries in one go, but I'm still worried about nested queries. However, if the file's read-only, that may be OK. I'll check if SQLite3 responds to "SELECT * FROM (ATTACH ...)" type queries.I'm also worried about (for example) semicolons that'll make sqlite run multiple queries anyway. Of course, I can filter against semicolons, but you get the general idea.
barrycarter  2010-09-17 21:35:43
A: 

Assure that your user has write access and that other users (especially the user that the webserver runs as) has only read access to the file itself. How you do this of course depends on your platform (Linux, Windows, etc.)

Pete  2010-09-27 22:02:42
Right. That part's easy. The hard part: what sqlite3 commands can access other files (eg, ATTACH).
barrycarter  2010-09-28 22:39:06
A: 

Make your database file read only in the operating system. Once you've done that SQLite can't override it. If you still have issues it's not a SQLite issue. They might still be able to find a php/cgi/etc issue but that's the nature of the security beast.

Jay  2010-09-27 22:35:05
Unfortunately, not true (that was my original plan). Commands like ATTACH can access other files.
barrycarter  2010-09-28 22:39:32
If your environment doesn't allow access to other files there's not a lot they can do with it. Can you run it in a chroot jail?
Jay  2010-09-29 16:35:04

related questions

SQLite3::BusyException
How do I dump the data of some SQLite3 tables?
Database functionality with WPF app: SQLite, SQL CE, other?
SQLite UDF - VBA Callback
JavaScript sqlite
SQLite/PHP read-only?
Is there a MySQLAdmin or SQL Server Management Studio equivalent for SQLite databases on Windows?
What are the advantages of VistaDB
How Scalable is SQLite?
Programmatically access browser history
SQL Pagination
Metalanaguage to describe the Model from MVC to generate identical client and server side code
Java and SQLite
Is there a good IDE for SQLite ?
Does Visual Studio Server Explorer support custom database providers?
Objective-C: Passing around sets of data
What is the best way to connect and use a sqlite database from C#
Quick easy way to migrate SQLite3 to MySQL?
Why does sqlite3-ruby-1.2.2 not work on OS X?
T-Sql date format for seconds since last epoch / formatting for sqlite input
What's the best way of converting a mysql database to a sqlite one?
SQLite vs MySQL
Using SQLite with Visual Studio 2008 and Silverlight
Adobe Air - Using multiple SQLite databases at once
SQLite and XSD