Subject | Security.fdb / RDB$SECURITY_CLASSES / ACL / PUBLIC user rights |
---|---|
Author | Pumuqui |
Post date | 2004-07-04T10:14:24Z |
Hello,
I am working on a Delphi application based on Firebird 1.5.
At the moment I am trying to find a way to force each database-user
to change his passwords every 30 days.
As a starting point I used the scripts of Ivan Prenosil published
on his homepage at www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm.
After making some changes like new tables, procedures and triggers
in database security.fdb I found out that a normal user could not
connect any longer to any database. I am getting the message:
'This user does not have privilege to perform this operation on this object.
no permission for execute access to DATABASE .'
I found out that it is probably caused by an entry in table
RDB$SECURITY_CLASSES with name DATABASE_ACCESS since all works
fine when I create a complete new database, copy all the structure
and content of security.fdb to this new database and finally
substitute security.fdb by the new one. In this new database I
could not find any record named DATABASE_ACCESS, so that's why
I came to the conclusion that this record must be the trouble-maker.
My question now is:
Is the record DATABASE_ACCESS of table RDB$SECURITY_CLASSES vital for
the working of firebird?
If yes, is it 'allowed' to change this record to give execute rights
on procedures to PUBLIC user? How then do you have to change this record?
Is there any instrument/program to see and change security classes in firebird?
What is the meaning of the content of binary blob field RDB$ACL in the
table? I refer here to the way how the access control lists are stored in
that field.
In my opinion the security class DATABASE_ACCESS must describe something
like: Give full access to database to SYSDBA and read access to the rest.
How is this information coded in the ACL?
I am developing on a Windows2K system but the result should work on Linux
as well.
Thanks a lot in advance for all responses.
I am working on a Delphi application based on Firebird 1.5.
At the moment I am trying to find a way to force each database-user
to change his passwords every 30 days.
As a starting point I used the scripts of Ivan Prenosil published
on his homepage at www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm.
After making some changes like new tables, procedures and triggers
in database security.fdb I found out that a normal user could not
connect any longer to any database. I am getting the message:
'This user does not have privilege to perform this operation on this object.
no permission for execute access to DATABASE .'
I found out that it is probably caused by an entry in table
RDB$SECURITY_CLASSES with name DATABASE_ACCESS since all works
fine when I create a complete new database, copy all the structure
and content of security.fdb to this new database and finally
substitute security.fdb by the new one. In this new database I
could not find any record named DATABASE_ACCESS, so that's why
I came to the conclusion that this record must be the trouble-maker.
My question now is:
Is the record DATABASE_ACCESS of table RDB$SECURITY_CLASSES vital for
the working of firebird?
If yes, is it 'allowed' to change this record to give execute rights
on procedures to PUBLIC user? How then do you have to change this record?
Is there any instrument/program to see and change security classes in firebird?
What is the meaning of the content of binary blob field RDB$ACL in the
table? I refer here to the way how the access control lists are stored in
that field.
In my opinion the security class DATABASE_ACCESS must describe something
like: Give full access to database to SYSDBA and read access to the rest.
How is this information coded in the ACL?
I am developing on a Windows2K system but the result should work on Linux
as well.
Thanks a lot in advance for all responses.