cancel
Showing results for 
Search instead for 
Did you mean: 

Disable Sybase ASA Backup

mmangels
Explorer
3,191

Hello,

We are looking into several security concerns, and we are wondering if it would be possible to disable the creation of a backup of a Sybase SQL Anywhere 11.0.1 database. We currently often use DBBackup.exe to create a backup of a database. However, there are some databases running in the field where we would like to block this possibility from any user. I have found in the Authorities of a user the checkbox "backup" "required to perform database backups", however think that the DBA also has this possibility. Would it be possible to block this from the DBA aswell, or have a database without a DBA user ? (that last doesn't seem possible)

Kind regards,

Michael

VolkerBarth
Contributor
0 Kudos

FWIW, revoking BACKUP priviledge from DBA (which a DBA doesn't have been granted by default) doesn't prevent them from doing backups at all - the DBA priviledge seems to contain BACKUP and VALIDATE by design...

Breck_Carter
Participant

A database for which the end users have access to a user id with DBA privilege has no security whatsoever, and preventing a backup will not improve the situation.

Accepted Solutions (0)

Answers (2)

Answers (2)

VolkerBarth
Contributor

Some suggestions:

  • The "secured features" facility (dbsrvX -sf) allows to prevent some server actions, among others server-side backups (which comprises DBBACKUP -s). That's the feature "backup". - It does not prevent from doing client-side backups.
  • You could use a "BackupEnd" type event to find out that a backup has taken place (and possibly could then remove the backup immediately) - however, it's not easy to find out the backup location, and if it's on a location not accessible for the database server (say, a client computer), that won't do at all.
  • The database system cannot prevent any user from copying the database files when the database is not loaded (and therefore to make a full image backup) - so that's only limited by OS permissions.

That may rather limit your possibilities...

justin_willey
Participant

By definition DBA can do anything - they are the owner of the database. I don't think that a database could exist without one.

I suspect the answer to your problem is to ensure that the DBA password is NEVER distributed and that clients in the field connect with a lower level of authority. You may also want to look at database encryption so that the database file cannot be hacked directly.

VolkerBarth
Contributor

Well, we do use databases without a DBA (actually still with a DBA, however the DBA user has not password and cannot connect anymore - just like these particular SYS and dbo users), but these are SQL remote databases, and they can "re-gain" a DBA "from outside" by means of passthough mode. Something similar might be possible with MobiLink clients (but I'm not sure). So that's a very particular situation.

For a single database, I don't think it even makes sense to drop any user with DBA priviledge - you would not be able to alter anything general afterwards...

FWIW, I just tested with the v12 demo: You are able to revoke the DBA priviledge from a DBA user, and she cannot do backup afterwards (unless the BACKUP priviledge is set explicitly). However, as stated, you won't be able to change the back if there's no other user with DBA priviledge...