I have read the recent posts on Firebird security. I am refering,
here, mainly to the client server mode of firebird and I feel that
security can basically be circumvented. I hope you will tell me that I
am wrong (and with some luck, why so).

Suppose I wish to deploy an enterprise archive with JBoss which
connects to a Firebird datasource. I supply a gdb file with my dist
(ear file) which contains my tables and more importantly some
important trigger checks.

I supply this DB with a user role with limited privileges so the user
cannot modify (or drop) this trigger.

Now I expect the user to download FB from the FB web site and install
it .

Hey presto, the third party can now set SYSDBA and password to his
choice, connect to my DB, drop the triggers or whatever.

Most other DB's I work with have a concept of DB owner which goes with
the DB file(s). By delegating user password security to security.fdb
hasn't this been circumvented?

I look forward to someone pointing out that I have got the wrong end
of the stick and I shall go away and live happily ever after ... or
will I?

Cheers
-raj