Secures features for databases running on the current database server.
{ dbsrv11 | dbeng11 } -sf feature-list ...
All operating systems and database servers.
This option allows you to enable and disable features for a database server. These settings affect all databases running on the database server. You can enable all disabled (secured) features for a connection by setting the secure_feature_key option to the key specified by the -sk option. Any connection that sets the secure_feature_key option to the key specified by -sk can also change the set of secured features for a database server using the SecureFeatures property of the sa_server_option system procedure.
The feature-list is a comma-separated list of feature names or feature sets to secure for the database server. Use feature-name to indicate that the feature should be disabled, and -feature-name to indicate that the feature should be removed from the disabled features list. For example, the following command indicates that only dbspace features are enabled:
dbeng11 -n secure_server -sf all,-dbspace |
The following feature-name values are supported (values enclosed in parentheses are the short forms of feature names that can also be specified):
none Specifies that no features are disabled.
all Disables all features that can be disabled including the following groups.
client Disables all features that allow access to client-related input/output. This includes access to the client computing environment. This set consists of the following features.
read_client_file Disables the use of statements that can cause a client file to be read. For example, the READ_CLIENT_FILE function and the LOAD TABLE statement. See Accessing data on client computers.
write_client_file Disables the use of all statements that can cause a client file to be written to. For example, the UNLOAD statement and the WRITE_CLIENT_FILE function. See Accessing data on client computers.
local Disables all local-related features. This includes access to the server computing environment. This set consists of the local_call, local_db, local_io, and local_log feature subsets described below.
local_call Disables all features that provide the ability to execute code that is not directly part of the server and is not controlled by the server. This set consists of the following features.
cmdshell Disables the use of the xp_cmdshell procedure. See xp_cmdshell system procedure.
external_procedure Disables the use of external stored procedures. This setting does not disable the use of the xp_* system procedures (such as xp_cmdshell, xp_readfile, and so on) that are built into the database server. Separate feature control options are provided for these system procedures. See Calling external libraries from procedures.
java Disables the use of Java-related features, such as Java procedures. See Tutorial: Using Java in the database.
local_db Disables all features related to database files. This set consists of the following features.
backup Disables the use of the BACKUP statement, and therefore, the ability to run server-side backups. You can still perform client-side backups using dbbackup. See BACKUP statement.
restore Disables the use of the RESTORE DATABASE statement. See RESTORE DATABASE statement.
database Disables the use of the CREATE DATABASE, ALTER DATABASE, DROP DATABASE, CREATE ENCRYPTED FILE, and CREATE DECRYPTED FILE statements.
dbspace Disables the use of the CREATE DBSPACE, ALTER DBSPACE, and DROP DBSPACE statements.
local_io Disables all features that allow direct access to files and their contents. This set consists of the following features.
read_file Disables the use of statements that can cause a local file to be read. For example, the xp_read_file system procedure, the LOAD TABLE statement, and the use of OPENSTRING( FILE ... ). The alternate names load_table and xp_read_file are deprecated.
write_file Disables the use of all statements that can cause a local file to be written to. For example, the UNLOAD statement and the xp_write_file system procedure. The alternate names unload_table and xp_write_file are deprecated.
delete_file Disables the use of all statements that can cause a local file to be deleted. For example, it disables the use of the db_delete_file DBLib function, which deletes database files. The db_delete_file function is used by the dbbackup -x and -xo options, so securing db_delete_file causes dbbackup to fail if the -x or -xo options are specified. See db_delete_file function.
directory Disables the use of directory class proxy tables. This feature is also disabled when remote_data_access is disabled.
local_log Disables all logging features that result in creating or writing data directly to a file on disk. This set consists of the following features.
request_log Disables the ability to change the request log file name and also disables the ability to increase the limits of the request log file size or number of files. You can specify the request log file, as well as limits on this file, in the command to start the database server; however, they cannot be changed once the server is started. When request log features are disabled, you can still turn request logging on and off, and reduce the maximum file size and number of request logging files. See Request logging.
console_log Disables the ability to change the database server message log file name using the ConsoleLogFile option of the sa_server_option system procedure . It also disables the ability to increase the maximum size of the log file using the ConsoleLogMaxSize option of the sa_server_option system procedure . You can specify a server log file and its size when starting the database server.
webclient_log Disables the ability to change the web service client log file name using the WebClientLogFile option of the sa_server_option system procedure. You can specify a web service client log file when starting the database server. See -zoc server option.
remote Disables all features that allow remote access or communication with remote processes. This set consists of the following features.
remote_data_access Disables the use of any remote data access services, such as proxy tables.
send_udp Disables the ability to send UDP packets to a specified address using the sa_send_udp system procedure.
web_service_client Disables the use of web service client stored procedure calls (that is, stored procedures that issue HTTP requests).
The following table lists all the feature set keywords and their hierarchy. For example, local_io encompasses the read_file, write_file, delete_file, and directory features.
The following command starts a database server named secure_server with access to the request log and with all remote data access features disabled. The key specified by the -sk option can be used later with the secure_feature_key database option to enable these features for a specific connection.
dbsrv11 -n secure_server -sf request_log,remote -sk j978kls12 |
If a user connected to a database running on the secure_server database server sets the secure_feature_key option to the value specified by -sk, that connection has access to the request log and remote data access features:
SET TEMPORARY OPTION secure_feature_key = 'j978kls12'; |
The following command disables all features, with the exception of local database features:
dbeng11 -n secure_server -sf all,-local_db |
Send feedback about this page via email or DocCommentXchange | Copyright © 2008, iAnywhere Solutions, Inc. - SQL Anywhere 11.0.0 |