> -----Original Message-----
> From: wolf.duttlinger-manger@gmx.de [SMTP:wolf.duttlinger-manger@gmx.de]
> Sent: Tuesday, November 09, 2004 10:36 AM
> To: informix-list@iiug.org
> Subject: Re: No ODBC access to Informix...
> Importance: High
>
> Hi there,
>
> I just was informed that providing an empty 'sqlhosts' file would
> prevent anybody from accessing the box.
>
> Now -
> in sqlhosts a "nettype" and some "options" are entered. Are there any
> chances to narrow down the scope of "neglection" using these
> parameters? Like - nettype not including "ODBC-net access", or options
> stating only read-oinly access....
[Bill Dare]
No.

> Next -
> the 'sqlhosts' file - is it one per box, or one per "instance" - i.e.
> would it be possible to install two dbm-instances on one machine with
> two different sqlhosts files?
[Bill Dare]
One per instance, so yes you can have 2 instances on one box. One
instance read-only for ODBC access and one instance with SHM connections
only for production.
Setting this up will require that you be running IDS 9.40. You need
to use the -rename option with onbar/ontape (backup utilities) to restore
the second instance on the same machine and that option was not available
before 9.40.
You could use symbolic links to your db chunks to get around this,
but that is not formally supported by IBM Informix.

> (I know RTFM - but - I don't have them, and I basically do not have
> time to become a Informix admin.....)
>
> Regards
> Wolf
>
> wolf.duttlinger-manger@gmx.de (Wolf) wrote in message
> news:<6e942e26.0411090203.1f43e57d@posting.google. com>...
> > Yeeeeha!!!!
> >
> > Peng, peng!!!
> >
> > <G>
> >
> > I totally agree to this Art - only - the ERP is there and it works the
> > way it works... i.e. the users log on to the DB using their! uid - and
> > therefore have to have the rights they have.....
> >
> > So - also to the others that posted - I do not see a solution -
> > "hiding" a database is no solution - we have to mitigate the risk of a
> > user changing the data outside the ERP.....
> >
> > Again - please does anybody have an idea how to block ODBC access to a
> > Solaris based Informix *** at all *** - i.e. I do not want to allow
> > _ANY_ ODBC calls to be coming in to this box - somehow configuring a
> > "listener" - if there is such thing in Informix......
> >
> > Regards
> > Wolf
> >
> > "Art S. Kagel" <kagel@bloomberg.net> wrote in message
> news:<pan.2004.11.08.15.48.49.861051.1355@bloomber g.net>...
> > > On Mon, 08 Nov 2004 14:00:45 -0500, Bill Dare wrote:
> > >
> > > WAIT just one minute there cowboy! Why not just disable the user's
> > > update/insert/delete permissions on the database itself! The
> 'business' app
> > > can log into the database on the users' behalf using a different ID
> which is
> > > priveleged to modify the data. If doing that with a single login for
> all,
> > > then create another small read-only database that maps real user-id
> and
> > > password to a unique alter-ego user-id which will be used to connect
> to the DB
> > > server.
> > >
> > > Art S. Kagel
> > >
> > > >> I do not know Informix - but from my understanding there must be a
> way to
> > > >> totally disable ODBC access towards this database. I know a little
> about
> > > >> DB2 and Oracle and from there I have the following picture:
sending to informix-list

Hi Wolf

I might not have understood correctly but if roles and access to your
database can be controlled at the Operating System level then
following on from what Wolf touches on, the OpenLink ODBC drivers
provde ODBC drivers that can authenticate at both the Operating System
and Database level. It is also possible to setup rules that can
control which application connects to which database. If you need
information on this, I'd be happy to provide you whatever you need.
For more information, you can visit http://www.openlinksw.com or
alternatively, you might be interested in reading this White Paper at

http://www.openlinksw.com/articles/dbsecurity.pdf

Regards

Emmon Simbo
Technical Services
OpenLink Software



Bill Dare <dareb@jevic.com> wrote in message news:<1100034639.+8fQycP66TCZpBSUtwa6Ag@teranews>. ..
> > -----Original Message-----
> > From: wolf.duttlinger-manger@gmx.de [SMTP:wolf.duttlinger-manger@gmx.de]
> > Sent: Tuesday, November 09, 2004 10:36 AM
> > To: informix-list@iiug.org
> > Subject: Re: No ODBC access to Informix...
> > Importance: High
> >
> > Hi there,
> >
> > I just was informed that providing an empty 'sqlhosts' file would
> > prevent anybody from accessing the box.
> >
> > Now -
> > in sqlhosts a "nettype" and some "options" are entered. Are there any
> > chances to narrow down the scope of "neglection" using these
> > parameters? Like - nettype not including "ODBC-net access", or options
> > stating only read-oinly access....
> [Bill Dare]
> No.
>
> > Next -
> > the 'sqlhosts' file - is it one per box, or one per "instance" - i.e.
> > would it be possible to install two dbm-instances on one machine with
> > two different sqlhosts files?
> [Bill Dare]
> One per instance, so yes you can have 2 instances on one box. One
> instance read-only for ODBC access and one instance with SHM connections
> only for production.
> Setting this up will require that you be running IDS 9.40. You need
> to use the -rename option with onbar/ontape (backup utilities) to restore
> the second instance on the same machine and that option was not available
> before 9.40.
> You could use symbolic links to your db chunks to get around this,
> but that is not formally supported by IBM Informix.
>
> > (I know RTFM - but - I don't have them, and I basically do not have
> > time to become a Informix admin.....)
> >
> > Regards
> > Wolf
> >
> > wolf.duttlinger-manger@gmx.de (Wolf) wrote in message
> > news:<6e942e26.0411090203.1f43e57d@posting.google. com>...
> > > Yeeeeha!!!!
> > >
> > > Peng, peng!!!
> > >
> > > <G>
> > >
> > > I totally agree to this Art - only - the ERP is there and it works the
> > > way it works... i.e. the users log on to the DB using their! uid - and
> > > therefore have to have the rights they have.....
> > >
> > > So - also to the others that posted - I do not see a solution -
> > > "hiding" a database is no solution - we have to mitigate the risk of a
> > > user changing the data outside the ERP.....
> > >
> > > Again - please does anybody have an idea how to block ODBC access to a
> > > Solaris based Informix *** at all *** - i.e. I do not want to allow
> > > _ANY_ ODBC calls to be coming in to this box - somehow configuring a
> > > "listener" - if there is such thing in Informix......
> > >
> > > Regards
> > > Wolf
> > >
> > > "Art S. Kagel" <kagel@bloomberg.net> wrote in message
> news:<pan.2004.11.08.15.48.49.861051.1355@bloomber g.net>...
> > > > On Mon, 08 Nov 2004 14:00:45 -0500, Bill Dare wrote:
> > > >
> > > > WAIT just one minute there cowboy! Why not just disable the user's
> > > > update/insert/delete permissions on the database itself! The
> 'business' app
> > > > can log into the database on the users' behalf using a different ID
> which is
> > > > priveleged to modify the data. If doing that with a single login for
> all,
> > > > then create another small read-only database that maps real user-id
> and
> > > > password to a unique alter-ego user-id which will be used to connect
> to the DB
> > > > server.
> > > >
> > > > Art S. Kagel
> > > >
> > > > >> I do not know Informix - but from my understanding there must be a
> way to
> > > > >> totally disable ODBC access towards this database. I know a little
> about
> > > > >> DB2 and Oracle and from there I have the following picture:
> sending to informix-list