| Subject | Re: [firebird-support] Security.fdb / RDB$SECURITY_CLASSES / ACL / PUBLIC user rights |
|---|---|
| Author | Helen Borrie |
| Post date | 2004-07-04T11:17:27Z |
At 12:14 PM 4/07/2004 +0200, you wrote:
should not be accessed by you. It is maintained by the server when SQL
permissions are changed. Since the system tables are a relational
database, and you don't know what the dependencies are, you are asking for
trouble if you attempt to get into there and meddle with them. I sure hope
you have a good, tested backup of your security database.
blobs in isql by using SET BLOB n and then querying the table in
question. For the BLOB SUB_TYPE ACL, n = 3.
his scripts - soon, before you break something. I strongly suggest you
brief yourself on the thoroughly boring and infuriating topic of SQL
privileges before you do any more tinkering with the security database.
/heLen
>Hello,Are you sure it says this? Users get execute access to stored procedures.
>
>I am working on a Delphi application based on Firebird 1.5.
>At the moment I am trying to find a way to force each database-user
>to change his passwords every 30 days.
>As a starting point I used the scripts of Ivan Prenosil published
>on his homepage at www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm.
>
>After making some changes like new tables, procedures and triggers
>in database security.fdb I found out that a normal user could not
>connect any longer to any database. I am getting the message:
>
>'This user does not have privilege to perform this operation on this object.
>no permission for execute access to DATABASE .'
>I found out that it is probably caused by an entry in tableWell.....in some indirect way, it is. The table RDB$SECURITY_CLASSES
>RDB$SECURITY_CLASSES with name DATABASE_ACCESS since all works
>fine when I create a complete new database, copy all the structure
>and content of security.fdb to this new database and finally
>substitute security.fdb by the new one. In this new database I
>could not find any record named DATABASE_ACCESS, so that's why
>I came to the conclusion that this record must be the trouble-maker.
should not be accessed by you. It is maintained by the server when SQL
permissions are changed. Since the system tables are a relational
database, and you don't know what the dependencies are, you are asking for
trouble if you attempt to get into there and meddle with them. I sure hope
you have a good, tested backup of your security database.
>My question now is:The answer is: yes.
>Is the record DATABASE_ACCESS of table RDB$SECURITY_CLASSES vital for the
>working of firebird?
>If yes, is it 'allowed' to change this record to give execute rightsNO !!!
>on procedures to PUBLIC user?
>How then do you have to change this record?Use SQL permissions (privileges) - GRANT
>Is there any instrument/program to see and change security classes inNo. By design, there is not. However, you can view the various system
>firebird?
blobs in isql by using SET BLOB n and then querying the table in
question. For the BLOB SUB_TYPE ACL, n = 3.
>What is the meaning of the content of binary blob field RDB$ACL in theIt's only meant to be meaningful to a process in the server engine.
>table? I refer here to the way how the access control lists are stored in
>that field.
>In my opinion the security class DATABASE_ACCESS must describe somethingI don't know and I don't need to know.
>like: Give full access to database to SYSDBA and read access to the rest.
>How is this information coded in the ACL?
>I am developing on a Windows2K system but the result should work on LinuxRight, it should. Methinks you need to revisit Ivan's documentation for
>as well.
his scripts - soon, before you break something. I strongly suggest you
brief yourself on the thoroughly boring and infuriating topic of SQL
privileges before you do any more tinkering with the security database.
/heLen