Subject Re: [firebird-support] Security.fdb / RDB$SECURITY_CLASSES / ACL / PUBLIC user rights
Author Helen Borrie
At 12:14 PM 4/07/2004 +0200, you wrote:
>Hello,
>
>I am working on a Delphi application based on Firebird 1.5.
>At the moment I am trying to find a way to force each database-user
>to change his passwords every 30 days.
>As a starting point I used the scripts of Ivan Prenosil published
>on his homepage at www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm.
>
>After making some changes like new tables, procedures and triggers
>in database security.fdb I found out that a normal user could not
>connect any longer to any database. I am getting the message:
>
>'This user does not have privilege to perform this operation on this object.
>no permission for execute access to DATABASE .'

Are you sure it says this? Users get execute access to stored procedures.


>I found out that it is probably caused by an entry in table
>RDB$SECURITY_CLASSES with name DATABASE_ACCESS since all works
>fine when I create a complete new database, copy all the structure
>and content of security.fdb to this new database and finally
>substitute security.fdb by the new one. In this new database I
>could not find any record named DATABASE_ACCESS, so that's why
>I came to the conclusion that this record must be the trouble-maker.

Well.....in some indirect way, it is. The table RDB$SECURITY_CLASSES
should not be accessed by you. It is maintained by the server when SQL
permissions are changed. Since the system tables are a relational
database, and you don't know what the dependencies are, you are asking for
trouble if you attempt to get into there and meddle with them. I sure hope
you have a good, tested backup of your security database.


>My question now is:
>Is the record DATABASE_ACCESS of table RDB$SECURITY_CLASSES vital for the
>working of firebird?

The answer is: yes.

>If yes, is it 'allowed' to change this record to give execute rights
>on procedures to PUBLIC user?

NO !!!

>How then do you have to change this record?

Use SQL permissions (privileges) - GRANT

>Is there any instrument/program to see and change security classes in
>firebird?

No. By design, there is not. However, you can view the various system
blobs in isql by using SET BLOB n and then querying the table in
question. For the BLOB SUB_TYPE ACL, n = 3.

>What is the meaning of the content of binary blob field RDB$ACL in the
>table? I refer here to the way how the access control lists are stored in
>that field.

It's only meant to be meaningful to a process in the server engine.


>In my opinion the security class DATABASE_ACCESS must describe something
>like: Give full access to database to SYSDBA and read access to the rest.
>How is this information coded in the ACL?

I don't know and I don't need to know.


>I am developing on a Windows2K system but the result should work on Linux
>as well.

Right, it should. Methinks you need to revisit Ivan's documentation for
his scripts - soon, before you break something. I strongly suggest you
brief yourself on the thoroughly boring and infuriating topic of SQL
privileges before you do any more tinkering with the security database.

/heLen