At 06:38 PM 18/08/2004 +0000, you wrote:

>Hi
>
> > > .gsec -user SYSDBA -password HqoRQThB (I presume it is safe
> to
> > > publish this temporary password.) It still doesn't work.
> >
> > You sure meant: ./gsec ?

I did. Comes from trying to answer support questions at 1:15 in the
morning. I forget the slash myself about 60% of the time. I did realise
the error as I lapsed into sleep, but decided not to get up and send a
correction. Good for your Linux learning curve. :-)

>
>You legged me up there - your deliberate mistake was ".gsec". If
>I'd known more I should've noticed. But....BINGO it worked. But
>again.. it does say:
>
>lock manager: couldn't set uid to superuser
>GSEC>
>
>Is this serious?

It can be. It's a "feature" on POSIX platforms, that the root user has all
powers in the server, provided you don't try to log on as a user. SYSDBA is
a user, root can't be. Along the same lines, trusted OS users can get
access to databases without going through security authentication, and will
have any database privileges that have been granted to PUBLIC.

There's currently a security hole in Borland's InterBase 6.x and 7.x, where
this bypass code has been surfaced to **all versions on all
platforms**. Anyone trying to log in without a password can access any
database with SYSDBA privileges.

For commercial IB users who haven't been informed about this, you can get
6.5 and 7.1 patches here:
http://info.borland.com/devsupport/interbase/security_update.html

/heLen