Please be aware that the content in SAP SQL Anywhere Forum will be migrated to the SAP Community in June and this forum will be retired.

Disable Sybase ASA Backup

2

Hello,

We are looking into several security concerns, and we are wondering if it would be possible to disable the creation of a backup of a Sybase SQL Anywhere 11.0.1 database. We currently often use DBBackup.exe to create a backup of a database. However, there are some databases running in the field where we would like to block this possibility from any user. I have found in the Authorities of a user the checkbox "backup" "required to perform database backups", however think that the DBA also has this possibility. Would it be possible to block this from the DBA aswell, or have a database without a DBA user ? (that last doesn't seem possible)

Kind regards,

Michael

asked 20 Jan '12, 03:45

MichaelMangelschots's gravatar image

MichaelMange...
1255615
accept rate: 0%

edited 20 Jan '12, 07:24

Volker%20Barth's gravatar image

Volker Barth
40.2k361550822

FWIW, revoking BACKUP priviledge from DBA (which a DBA doesn't have been granted by default) doesn't prevent them from doing backups at all - the DBA priviledge seems to contain BACKUP and VALIDATE by design...

(20 Jan '12, 07:24) Volker Barth
1

A database for which the end users have access to a user id with DBA privilege has no security whatsoever, and preventing a backup will not improve the situation.

(20 Jan '12, 09:11) Breck Carter
2 Answers:
active answersoldest answersnewest answerspopular answers
1

By definition DBA can do anything - they are the owner of the database. I don't think that a database could exist without one.

I suspect the answer to your problem is to ensure that the DBA password is NEVER distributed and that clients in the field connect with a lower level of authority. You may also want to look at database encryption so that the database file cannot be hacked directly.

permanent link

answered 20 Jan '12, 05:30

Justin%20Willey's gravatar image

Justin Willey
7.6k137179249
accept rate: 20%

1

Well, we do use databases without a DBA (actually still with a DBA, however the DBA user has not password and cannot connect anymore - just like these particular SYS and dbo users), but these are SQL remote databases, and they can "re-gain" a DBA "from outside" by means of passthough mode. Something similar might be possible with MobiLink clients (but I'm not sure). So that's a very particular situation.

For a single database, I don't think it even makes sense to drop any user with DBA priviledge - you would not be able to alter anything general afterwards...

FWIW, I just tested with the v12 demo: You are able to revoke the DBA priviledge from a DBA user, and she cannot do backup afterwards (unless the BACKUP priviledge is set explicitly). However, as stated, you won't be able to change the back if there's no other user with DBA priviledge...

(20 Jan '12, 06:58) Volker Barth
1

Some suggestions:

  • The "secured features" facility (dbsrvX -sf) allows to prevent some server actions, among others server-side backups (which comprises DBBACKUP -s). That's the feature "backup". - It does not prevent from doing client-side backups.
  • You could use a "BackupEnd" type event to find out that a backup has taken place (and possibly could then remove the backup immediately) - however, it's not easy to find out the backup location, and if it's on a location not accessible for the database server (say, a client computer), that won't do at all.
  • The database system cannot prevent any user from copying the database files when the database is not loaded (and therefore to make a full image backup) - so that's only limited by OS permissions.

That may rather limit your possibilities...

permanent link

answered 20 Jan '12, 07:11

Volker%20Barth's gravatar image

Volker Barth
40.2k361550822
accept rate: 34%

edited 20 Jan '12, 07:13

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×143
×84
×48

question asked: 20 Jan '12, 03:45

question was seen: 2,950 times

last updated: 20 Jan '12, 09:13

Related questions

SQLA and storage system snapshots

simple encryption question

Backups suddenly failing

SQL Anywhere on Windows operating system changes db file to read only

SQLA and NetApp Snapshot

Recovery with 2 transaction logs issue

Create connection in Visual-Studio-2013 with .NET-Framework-4 to Sql-Anywhere-11

Intent locks not blocking each other?

Allow SADIAGDIR to be set by DB server start-up parameters

Mobilink screen freezes in Windows Mobile 6.5