| Subject | Re: I lost my firebird server login password?? |
|---|---|
| Author | Carlos Macao |
| Post date | 2005-07-08T17:20:11Z |
--- In firebird-support@yahoogroups.com, Vahan Yoghoudjian
<vahan@p...> wrote:
First you create a new user, let's call it xpto.
Then you create the DB with that user:
create database `C:\teste.gbd' page_size 1024 user
`xpto'
password `123456';
..create a Role for SYSDBA.
CREATE ROLE SYSDBA;
And than we are granting all the privileges to `xpto' user
and revoke everything to `SYSDBA':
GRANT ALL ON TABLE1 TO xpto WITH GRANT OPTION;
REVOKE ALL ON TABLE1 FROM PUBLIC;
GRANTO ALL ON TABLE2 TO xpto WITH GRANT OPTION;
REVOKE ALL ON TABLE2 FROM PUBLIC;
...
..
and so on, repeating this process for each table on your DB.
For other metadata, you should do something like:
GRANT ALL ON RDB$CHARACTER_SETS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$CHECK_CONSTRAINTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$COLLATIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$DATABASE TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$DEPENDENCIES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$EXCEPTIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FIELDS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FIELD_DIMENSIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FILES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FILTERS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FORMATS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FUNCTIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FUNCTION_ARGUMENTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$GENERATORS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$INDEX_SEGMENTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$INDICES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$LOG_FILES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$PAGES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$PROCEDURES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$PROCEDURE_PARAMETERS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$REF_CONSTRAINTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$RELATIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$RELATION_CONSTRAINTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$RELATION_FIELDS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$ROLES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$SECURITY_CLASSES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TRANSACTIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TRIGGERS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TRIGGER_MESSAGES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TYPES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$USER_PRIVILEGES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$VIEW_RELATIONS TO xpto WITH GRANT OPTION;
REVOKE ALL ON RDB$CHARACTER_SETS FROM PUBLIC;
REVOKE ALL ON RDB$CHECK_CONSTRAINTS FROM PUBLIC;
REVOKE ALL ON RDB$COLLATIONS FROM PUBLIC;
REVOKE ALL ON RDB$DATABASE FROM PUBLIC;
REVOKE ALL ON RDB$DEPENDENCIES FROM PUBLIC;
REVOKE ALL ON RDB$EXCEPTIONS FROM PUBLIC;
REVOKE ALL ON RDB$FIELDS FROM PUBLIC;
REVOKE ALL ON RDB$FIELD_DIMENSIONS FROM PUBLIC;
REVOKE ALL ON RDB$FILES FROM PUBLIC;
REVOKE ALL ON RDB$FILTERS FROM PUBLIC;
REVOKE ALL ON RDB$FORMATS FROM PUBLIC;
REVOKE ALL ON RDB$FUNCTIONS FROM PUBLIC;
REVOKE ALL ON RDB$FUNCTION_ARGUMENTS FROM PUBLIC;
REVOKE ALL ON RDB$GENERATORS FROM PUBLIC;
REVOKE ALL ON RDB$INDEX_SEGMENTS FROM PUBLIC;
REVOKE ALL ON RDB$INDICES FROM PUBLIC;
REVOKE ALL ON RDB$LOG_FILES FROM PUBLIC;
REVOKE ALL ON RDB$PAGES FROM PUBLIC;
REVOKE ALL ON RDB$PROCEDURES FROM PUBLIC;
REVOKE ALL ON RDB$PROCEDURE_PARAMETERS FROM PUBLIC;
REVOKE ALL ON RDB$REF_CONSTRAINTS FROM PUBLIC;
REVOKE ALL ON RDB$RELATIONS FROM PUBLIC;
REVOKE ALL ON RDB$RELATION_CONSTRAINTS FROM PUBLIC;
REVOKE ALL ON RDB$RELATION_FIELDS FROM PUBLIC;
REVOKE ALL ON RDB$ROLES FROM PUBLIC;
REVOKE ALL ON RDB$SECURITY_CLASSES FROM PUBLIC;
REVOKE ALL ON RDB$TRANSACTIONS FROM PUBLIC;
REVOKE ALL ON RDB$TRIGGERS FROM PUBLIC;
REVOKE ALL ON RDB$TRIGGER_MESSAGES FROM PUBLIC;
REVOKE ALL ON RDB$TYPES FROM PUBLIC;
REVOKE ALL ON RDB$USER_PRIVILEGES FROM PUBLIC;
REVOKE ALL ON RDB$VIEW_RELATIONS FROM PUBLIC;
Ok, that's all, if someone tries to access your db by replacing
security.fdb, or by moving the db to other computer, he will never
get access to it, because SYSDBA will have no grants for that db.
Of course, if he knows the name of your DBA user, we will get a way.
You only have to choose an unusual name for this task.
I didn't try the process, but I think it will work.
Best regards,
Carlos Macao
<vahan@p...> wrote:
> Speaking of security.fdb how secure are my firebird databases...There is one way, I've saw it in one Brazilian site:
> let's say that someone has access on my server where a firebird
> database is installed but not on the databases, of course the
> SYSDBA password is modified. Now can this guy bring his own
> security.fdb, delete the existing one on the server and replace
> with his and therefore access my database?
First you create a new user, let's call it xpto.
Then you create the DB with that user:
create database `C:\teste.gbd' page_size 1024 user
`xpto'
password `123456';
..create a Role for SYSDBA.
CREATE ROLE SYSDBA;
And than we are granting all the privileges to `xpto' user
and revoke everything to `SYSDBA':
GRANT ALL ON TABLE1 TO xpto WITH GRANT OPTION;
REVOKE ALL ON TABLE1 FROM PUBLIC;
GRANTO ALL ON TABLE2 TO xpto WITH GRANT OPTION;
REVOKE ALL ON TABLE2 FROM PUBLIC;
...
..
and so on, repeating this process for each table on your DB.
For other metadata, you should do something like:
GRANT ALL ON RDB$CHARACTER_SETS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$CHECK_CONSTRAINTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$COLLATIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$DATABASE TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$DEPENDENCIES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$EXCEPTIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FIELDS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FIELD_DIMENSIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FILES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FILTERS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FORMATS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FUNCTIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$FUNCTION_ARGUMENTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$GENERATORS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$INDEX_SEGMENTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$INDICES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$LOG_FILES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$PAGES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$PROCEDURES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$PROCEDURE_PARAMETERS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$REF_CONSTRAINTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$RELATIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$RELATION_CONSTRAINTS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$RELATION_FIELDS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$ROLES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$SECURITY_CLASSES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TRANSACTIONS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TRIGGERS TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TRIGGER_MESSAGES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$TYPES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$USER_PRIVILEGES TO xpto WITH GRANT OPTION;
GRANT ALL ON RDB$VIEW_RELATIONS TO xpto WITH GRANT OPTION;
REVOKE ALL ON RDB$CHARACTER_SETS FROM PUBLIC;
REVOKE ALL ON RDB$CHECK_CONSTRAINTS FROM PUBLIC;
REVOKE ALL ON RDB$COLLATIONS FROM PUBLIC;
REVOKE ALL ON RDB$DATABASE FROM PUBLIC;
REVOKE ALL ON RDB$DEPENDENCIES FROM PUBLIC;
REVOKE ALL ON RDB$EXCEPTIONS FROM PUBLIC;
REVOKE ALL ON RDB$FIELDS FROM PUBLIC;
REVOKE ALL ON RDB$FIELD_DIMENSIONS FROM PUBLIC;
REVOKE ALL ON RDB$FILES FROM PUBLIC;
REVOKE ALL ON RDB$FILTERS FROM PUBLIC;
REVOKE ALL ON RDB$FORMATS FROM PUBLIC;
REVOKE ALL ON RDB$FUNCTIONS FROM PUBLIC;
REVOKE ALL ON RDB$FUNCTION_ARGUMENTS FROM PUBLIC;
REVOKE ALL ON RDB$GENERATORS FROM PUBLIC;
REVOKE ALL ON RDB$INDEX_SEGMENTS FROM PUBLIC;
REVOKE ALL ON RDB$INDICES FROM PUBLIC;
REVOKE ALL ON RDB$LOG_FILES FROM PUBLIC;
REVOKE ALL ON RDB$PAGES FROM PUBLIC;
REVOKE ALL ON RDB$PROCEDURES FROM PUBLIC;
REVOKE ALL ON RDB$PROCEDURE_PARAMETERS FROM PUBLIC;
REVOKE ALL ON RDB$REF_CONSTRAINTS FROM PUBLIC;
REVOKE ALL ON RDB$RELATIONS FROM PUBLIC;
REVOKE ALL ON RDB$RELATION_CONSTRAINTS FROM PUBLIC;
REVOKE ALL ON RDB$RELATION_FIELDS FROM PUBLIC;
REVOKE ALL ON RDB$ROLES FROM PUBLIC;
REVOKE ALL ON RDB$SECURITY_CLASSES FROM PUBLIC;
REVOKE ALL ON RDB$TRANSACTIONS FROM PUBLIC;
REVOKE ALL ON RDB$TRIGGERS FROM PUBLIC;
REVOKE ALL ON RDB$TRIGGER_MESSAGES FROM PUBLIC;
REVOKE ALL ON RDB$TYPES FROM PUBLIC;
REVOKE ALL ON RDB$USER_PRIVILEGES FROM PUBLIC;
REVOKE ALL ON RDB$VIEW_RELATIONS FROM PUBLIC;
Ok, that's all, if someone tries to access your db by replacing
security.fdb, or by moving the db to other computer, he will never
get access to it, because SYSDBA will have no grants for that db.
Of course, if he knows the name of your DBA user, we will get a way.
You only have to choose an unusual name for this task.
I didn't try the process, but I think it will work.
Best regards,
Carlos Macao