Subject Re: [firebird-support] FB users can do too much by default
Author Helen Borrie
At 02:35 PM 9/11/2005 +0100, you wrote:
>Hi, I use firebird package 1.5.1-4 on Debian Sarge, have all fdb files
>in /var/lib/firebird2/data accessible only by aliases defined in
>/etc/firebird2/aliases.conf. I'm facing the following problem:
>With GSEC I create two users U1 and U2, both with UID matching their
>/etc/passwd UID's. U1 owns u1.fdb, U2 owns u2.fdb (ownership assigned
>with CREATE DATABASE command). Each creates some tables in his db.
>Now U1 is not able to SELECT from tables created by U2 in u2.fdb
>(permission denied, that's good), but U1 is able to create tables (and
>select from them) that he creates in u2.fdb. He also can list tables in
>I would wish any access to databases be denied for users other than the
>db owner. Was unable to find any mention about it in the docs. Is it
>possible in some easy way?

Giving access to the server gives access to databases on the server. But
only SYSDBA and the db owner has any rights to anything in those databases.

Rogue user U2 can - with access to the server through an authenticated user
login - create *new* objects in any database. U2 will own those
objects; but no objects for which U2 does not have permissions will be
accessible via U2's owned objects.

The potential for malicious damage comes where U2 *does* have permissions
to other objects, of course. I don't know of any way that you can protect
the databases from "the enemy within".