> I have read the recent posts on Firebird security. I am refering,
> here, mainly to the client server mode of firebird and I feel that
> security can basically be circumvented. I hope you will tell me that I
> am wrong (and with some luck, why so).
>
> Suppose I wish to deploy an enterprise archive with JBoss which
> connects to a Firebird datasource. I supply a gdb file with my dist
> (ear file) which contains my tables and more importantly some
> important trigger checks.
>
> I supply this DB with a user role with limited privileges so the user
> cannot modify (or drop) this trigger.
>
> Now I expect the user to download FB from the FB web site and install
> it .
>
> Hey presto, the third party can now set SYSDBA and password to his
> choice, connect to my DB, drop the triggers or whatever.
>
> Most other DB's I work with have a concept of DB owner which goes with
> the DB file(s). By delegating user password security to security.fdb
> hasn't this been circumvented?
>
> I look forward to someone pointing out that I have got the wrong end
> of the stick and I shall go away and live happily ever after ... or
> will I?
>
> Cheers
> -raj

FB databases have owners and they have roles inside the db file but as you
say - any foreign installed server can access your database if they get
their hands on the file itself.
You should consider encrypting the data and perhaps even removing the
trigger and SP source before you distribute. This makes things very hard for
people to fiddle and expect to keep it working as you intend.
Alan