Considering Additional Security

Multiple security issues are taken into consideration when you are writing Berkeley DB applications. The following sections detail these security issues further.

Database Environment Permissions

To ensure that files in the environment are not accessible to unauthorized users, set permissions on the directory used as the Berkeley DB database environment. You must carefully check the applications that add to the user's permissions (for example, UNIX setuid or setgid applications) to prevent illegal use of those permissions. An example of such a permission is general file access in the environment directory.

Environment Variables

Setting the DB_USE_ENVIRON and DB_USE_ENVIRON_ROOT flags and allowing the use of environment variables during file naming can be dangerous. Setting those flags in Berkeley DB applications with additional permissions (for example, UNIX setuid or setgid applications) could potentially allow users to read and write databases to which they would not normally have access.

File Permissions

By default, Berkeley DB always creates files that are readable and writable by the owner and the group (that is, S_IRUSR, S_IWUSR, S_IRGRP, and S_IWGRP; or octal mode 0660 on historic UNIX systems). The group ownership of created files is based on the system and directory defaults, and is not further specified by Berkeley DB.


When opening a database on a UNIX/Linux machine, you can specify the file permissions with the mode flag.

Temporary Backing Files

If an unnamed database is created and the cache is too small to hold the database in memory, Berkeley DB will create a temporary physical file to enable it to page the database to disk as needed. In this case, environment variables such as TMPDIR may be used to specify the location of that temporary file. Although temporary backing files are created readable and writable by the owner only (S_IRUSR and S_IWUSR, or octal mode 0600 on historic UNIX systems), some filesystems may not sufficiently protect temporary files created in random directories from improper access. To be absolutely safe, applications storing sensitive data in unnamed databases should use the DB_ENV->set_tmp_dir() method to specify a temporary directory with known permissions.


The Berkeley DB Tcl API evaluates user input as Tcl commands. For this reason, it may be dangerous to pass unreviewed user input through the Berkeley DB Tcl API, as the input may subsequently be evaluated as a Tcl command. Additionally, the Berkeley DB Tcl API initialization routine resets effective user and group IDs to the real user and group IDs. This minimizes the effectiveness of a Tcl injection attack.

External Files

External files are not encrypted even when encryption has been specified at the environment or database level. The only way to protect the external files is by using the file system permission restrictions to the directory tree in which the external files are stored.

Private Environments

When using the environment flag DB_PRIVATE, it is possible for old data in the heap to leak onto unused parts of the database page. You can avoid this by not using that flag, or by compiling Berkeley DB with the UMWR flag.