Fwd: How to prevent View sqlite database structure and contents from database browsers

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: How to prevent View sqlite database structure and contents from database browsers

SR Volatile
Dear Sir/Madam,

I am using Sqlite for my project. Currently, Sqlite database browser able
to view / edit sqlite database structure and content. As part of my
project, I don't want anybody to view/edit the database contents from any
database browsers.
Could you please suggest me, how can i achieve this?

Thanks in advance and looking forward to hear from you.

Sincerely,
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

Robert Hairgrove
On Fri, 2013-02-08 at 13:13 +0000, SR Volatile wrote:
> Dear Sir/Madam,
>
> I am using Sqlite for my project. Currently, Sqlite database browser able
> to view / edit sqlite database structure and content. As part of my
> project, I don't want anybody to view/edit the database contents from any
> database browsers.
> Could you please suggest me, how can i achieve this?

Since an SQLite database is a file, you could just set the file system
privileges to read-only.

_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

Kees Nuyt
On Fri, 08 Feb 2013 14:20:20 +0100, Robert Hairgrove
<[hidden email]> wrote:

>On Fri, 2013-02-08 at 13:13 +0000, SR Volatile wrote:
>> Dear Sir/Madam,
>>
>> I am using Sqlite for my project. Currently, Sqlite database browser able
>> to view / edit sqlite database structure and content. As part of my
>> project, I don't want anybody to view/edit the database contents from any
>> database browsers.
>> Could you please suggest me, how can i achieve this?
>
>Since an SQLite database is a file, you could just set the file system
>privileges to read-only.

That would prevent write access for the application.

Depending on the circumstances, it might be possible to use ACL or
user:group ownership and account/group/other permissions to black access
to the database file for every user:group, except the application
user:group.

Another possibility is database encryption, in a way that only the
application can know the key. See http://sqlite.org/support.html

--
Groet, Cordialement, Pozdrawiam, Regards,

Kees Nuyt

_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

Kees Nuyt
On Fri, 08 Feb 2013 19:46:49 +0100, Kees Nuyt <[hidden email]> wrote:

> ... to black access ...


... to block access ...

Note to self: proofread thoroughly.

--
Groet, Cordialement, Pozdrawiam, Regards,

Kees Nuyt

_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

Stephen Chrzanowski
SQLite has no knowledge of users or password protection.  Unlike MSSQL or
MySQL or Oracle, you don't log into the database with a username and
password, and there is no real DBMS to handle permissions.  Filesystem
level locking is pretty much the closest thing you're going to get to
protecting the data within.

I'd suggest encryption to at least block people from getting access to the
file content, however, once the encryption is broken, R/W access will be
permitted.  If you want a total "black box" scenario, this is probably
going to be your best bet.  If you want to block write access, you could
create a new user account, give RW permissions to that user, then give just
R access to everyone else.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

SR Volatile
In reply to this post by SR Volatile
Hi,

Thanks for all of your (Robert Hairgrove, Kees Nuyt, Stephen Chrzanowski)
 suggestions to me.

I wish to add some more details on my question.
I am writing a software, which will install under Windows operating system.
I don't have knowledge about whether I can set R/W file permissions on user
(who install my software) system. Anyway, I will look into it.

Once it written in database, then nobody can able to change the data (even
main user also). This feature will avoid the tampering of results.

@Kees Nuyt<http://www.mail-archive.com/search?l=sqlite-users@...&q=from:%22Kees+Nuyt%22>,
I will look into your database encryption suggestion.

Is there any option to encrypt fields in a table when creating it?

Once again thanks.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

Robert Hairgrove
On Mon, 2013-02-11 at 11:04 +0000, SR Volatile wrote:
> Is there any option to encrypt fields in a table when creating it?

There is the SQLite Encryption Extension (SEE):
http://www.hwaci.com/sw/sqlite/see.html

It is not free. But it looks like it does a pretty good job (I never
used it myself).

Other than that, you can encrypt/decrypt the data in your application
using some 3rd party encryption software. Depending on your security
needs, please be aware that no encryption mechanism is 100% safe, and to
achieve an adequate level of security through encryption is anything but
trivial.

Of course, my suggestion to make the file read-only does not prohibit
users from reading the data, only from editing it. You'd have to deny
read AND write access to any users except for those using the database
to prevent all prying eyes.

Although setting up such permissions is fairly straightforward on a *nix
system, I believe that more recent versions of Windows allow user-level
permissions as well.

And I still think this is probably the best way to go with any
file-based RDBMS because once the file-system security is breached, the
database file can be copied and a dedicated intruder can hack away at
leisure to remove whatever encryption there is.

_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: How to prevent View sqlite database structure and contents from database browsers

Stephen Chrzanowski
Being a windows developer myself, I've never really looked into locking
down an application at the file level, however, here are a couple things
that you can look into.

You can create a user from the command line.  Instructions here:
http://www.itechtalk.com/thread16618.html
(google: create user command line)

You can probably skip on setting the user as an administrator, however,
this will become pretty key as, again from the command line, you can set
file permissions on your database so that this new user has access to the
file only.
http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/1050976
(google: windows cacls)

In whatever language you're running, you SHOULD be able to access a file as
that new user.  Take for instance
http://www.djekldevelopments.co.uk/microsoft-visual-basic-net-programmers-cookbook/source/6797final/lib0319.html
(google: windows api run program as different user)

But PLEASE take heed;

If you have a kind of information that you want to protect the user from
getting access to, this is *NOT* the proper manor of doing so.  This will
make it more interesting for an (ab)user to get to the file, however,
anyone with sufficient rights can just take ownership of the file, change
the file permissions, and still gain access to the file.  In reality,
SQLite PROBABLY isn't the right answer for you to begin with since you DO
want to lock down the access.

But then again, you also need to decide at what level you want to protect
the data.  If you're looking for a total, 100% secure method of protecting
your data, you manage it in-house, and your clients access it remotely, or
in my case where I work, the customer buys the machines to our
specifications, we install our software on them in our office, ship them
off after some burn in time, and then we manage them remotely, and the user
has zero access to the machine aside from what we provide them with our
software.


On Mon, Feb 11, 2013 at 7:03 AM, Robert Hairgrove <[hidden email]>wrote:

> On Mon, 2013-02-11 at 11:04 +0000, SR Volatile wrote:
> > Is there any option to encrypt fields in a table when creating it?
>
> There is the SQLite Encryption Extension (SEE):
> http://www.hwaci.com/sw/sqlite/see.html
>
> It is not free. But it looks like it does a pretty good job (I never
> used it myself).
>
> Other than that, you can encrypt/decrypt the data in your application
> using some 3rd party encryption software. Depending on your security
> needs, please be aware that no encryption mechanism is 100% safe, and to
> achieve an adequate level of security through encryption is anything but
> trivial.
>
> Of course, my suggestion to make the file read-only does not prohibit
> users from reading the data, only from editing it. You'd have to deny
> read AND write access to any users except for those using the database
> to prevent all prying eyes.
>
> Although setting up such permissions is fairly straightforward on a *nix
> system, I believe that more recent versions of Windows allow user-level
> permissions as well.
>
> And I still think this is probably the best way to go with any
> file-based RDBMS because once the file-system security is breached, the
> database file can be copied and a dedicated intruder can hack away at
> leisure to remove whatever encryption there is.
>
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prevent View sqlite database structure and contents from database browsers

Simon Slavin-3

On 12 Feb 2013, at 3:24pm, Stephen Chrzanowski <[hidden email]> wrote:

> If you have a kind of information that you want to protect the user from
> getting access to, this is *NOT* the proper manor of doing so.  This will
> make it more interesting for an (ab)user to get to the file, however,
> anyone with sufficient rights can just take ownership of the file, change
> the file permissions, and still gain access to the file.

Right.  Even if reading the raw database file is no help, if you use encryption at the field level all they need to do is use a SQLite utility to replace the encrypted password for an admin account with the encrypted password from their own account.

If you want to prevent users from getting at the database file as a file, put the database file somewhere where they can't see it at all, and use a server to feed them the data from it.  That's your only protection.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users