| Subject | RE: [Firebird-Architect] Firebird init script |
|---|---|
| Author | Rick Debay |
| Post date | 2006-03-27T17:11:53Z |
> In fb2 there is no sysdba password in init script at allYou are correct, I just checked our rpm install of the beta and while
the comment is still there, the code is not. I will have to check the
tarball install, I could swear it contained the old script. Or perhaps
we installed the wrong tarball on the test system.
> For production system suggested feature is a bad thing.I don't understand. Anyone who can run kill as root can of course stop
the server. But the comment in the script suggested that only root
should be able to stop the server. I wanted to make sure that any
shutdown scripts, programs, etc belong to the firebird group, and not
root.
FWIW, you may want to change the rpm install to set file and directory
ownerships back to firebird. On our test system they're all owned by
root (We log on as root to the test systems. In production that's not
done, of course).
Thanks, Rick DeBay
-----Original Message-----
From: Firebird-Architect@yahoogroups.com
[mailto:Firebird-Architect@yahoogroups.com] On Behalf Of Alex Peshkov
Sent: Sunday, March 26, 2006 4:13 AM
To: Firebird-Architect@yahoogroups.com
Subject: Re: [Firebird-Architect] Firebird init script
Rick Debay wrote:
> If this hasn't been fixed per Pavel's comment, I'd like to suggestKeeping password in any 'encrypted' way, which may be used to connect to
> that anyone belonging to the firebird group be allowed to start or
> stop the server. Then the SYSDBA password won't be in clear-text in
> the init script.
>
> -----Original Message-----
> From: firebird-support@yahoogroups.com
> [mailto:firebird-support@yahoogroups.com] On Behalf Of Rick Debay
> Sent: Tuesday, March 21, 2006 6:20 PM
> To: firebird-support@yahoogroups.com
> Subject: [firebird-support] Firebird init script
>
> Can someone comment on Pavel's comment in the Firebird init script?
>
> # WARNING: in a real-world installation, you should not put the #
> SYSDBA password in a publicly-readable file.
> # Eventually this file should not need to contain any passwords.
> # as root user alone should be sufficient privledge to stop/start #
> the server.
>
> Has this been fixed? Shouldn't anyone belonging to the firebird group
> be allowed to stop/start the server?
> Would a PAM be useful here?
>
firebird as sysdba is not a way to go. In fb2 there is no sysdba
password in init script at all - and after fb2 release (or even sooner,
if it will long time) I can port this to vulcan.
Ability to start and stop firebird will depend only from ability of
member of a group to kill process, belonging to user firebird and to
start it 'su firebird'. Right now I'm not sure, possible it or not. If
not, this means that OS security prohibits such activity. And I don't
see any good reasons to violate OS rules.
For production system suggested feature is a bad thing. For development
- may be, good. But I'm sure developers can solve such a problem
themself, violating OS security on there development system.
Yahoo! Groups Links