Subject Re: [firebird-support] Move DB from OWner SYSDBA to an new owner
Author David Cornelius
This is somewhat disturbing--I guess I had never fully realized this. I was under the impression that you could create a new user, grant that new user to the database and remove SYSDBA as a valid user for that database and prevent someone else from gaining access to the database. But in reading through the documentation on security, I found that the SYSDBA user has access to EVERYTHING regardless of other security set up in the database.

So far, I haven't run into a situation where I would need to prevent a user from gaining access to the database, but I can imagine a scenario where you're deploying a proprietary application that will be installed by the customer and you don't want them to see your data structure or code. Is it really true that there is no way to prevent that in Firebird? I suppose at least you can remove the source code from procedures and triggers--as discussed last month in this group.

Also discussed last month, was a trick to prevent SYSDBA from accessing a database by creating a SYSDBA role, but after reading that thread again, I'm left thinking that wouldn't stop a Firebird reinstallation any more than simply hiding the SYSDBA password.

I've done some work with another database, DBISAM (, which allows the tables themselves to be encrypted with a password. It would be nice to see something like this or possibly some other method of preventing a deployed database from prying eyes.

David Cornelius

----- Original Message -----
From: Steffen Heil
Sent: Wednesday, March 03, 2004 8:52 AM
Subject: RE: [firebird-support] Move DB from OWner SYSDBA to an new owner


> The SYSDBA user is the equivilent of the Root user under *NIX or
Administrator under Windows, it has access to everything. If you don't want
people to access a DB using SYSDBA, don't give them the password.

Basicly, the problem was that people could simply reinstall firebird and
thereby resetting the SYSDBA password.

The real answer is simple. You cannot prevent this. If you want to have a
secure database, store it on a secure server. Everyone who has physical
access to that machine can get access to the database. If he as root or full
administrative rights it is far easier.

[Non-text portions of this message have been removed]