| Subject | permission woes on Debian |
|---|---|
| Author | Markus Hoenicka |
| Post date | 2007-12-30T00:32:21Z |
Hi
short version:
Still trying to get the firebird driver for the libdbi-drivers project
(http://libdbi-drivers.sourceforge.net, a database abstraction layer
for C) going. All attempts to do this on FreeBSD resulted in
segfaults, although I managed to create and access databases using the
isql tool. Now I'm trying my luck with Debian, with only infinitesimal
improvements. Again, I can create and access databases with isql (at
least under very peculiar circumstances), but all attempts to do so
with libdbi result in permission problems, which I'm trying to track
down (see below). The good news is that the test app no longer
crashes, but that's about it. I'm afraid one of the main reasons of my
utter failure is my lack of understanding of how firebird checks
permissions on database files. I hope someone is able to enlighten me.
long version:
Needless to say I've perused the available documentation (especially
OpGuide.pdf) to get an understanding of permissions. I was under the
impression that the account the server runs in, and the permissions of
the database and the directory that holds it determine whether or not
I can access a database, in addition to the username and the
password. But I must be missing something important as this does not
quite pan out. At first some system information (fresh Debian Etch
install):
markus@ocean:~/prog/libdbi-drivers-0.8.3-pre1$ uname -a
Linux ocean 2.6.18-5-486 #1 Fri Jun 1 00:07:22 UTC 2007 i686 GNU/Linux
I installed firebird2-super-server (1.5.3.4870-12) as a package:
markus@ocean:~$ su root
Password:
ocean:/home/markus# isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-No such file or directory
SQL> quit;
ocean:/home/markus# su firebird
firebird@ocean:/home/markus$ isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-No such file or directory
That is, the super-server is not doing me any good, neither as
root nor as user firebird. Next I tried the classic server (also
1.5.3.4870-12 from a package):
markus@ocean:~$ su root
Password:
ocean:/home/markus# isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
SQL> connect /var/lib/firebird2/data/libdbitest;
Commit current transaction (y/n)?y
Committing.
Database: /var/lib/firebird2/data/libdbitest, User: SYSDBA
SQL> show tables;
There are no tables in this database
This looks ok so far. I can create a database and access it using the
database superuser account running from root.
The weird thing are the ownerships and permissions:
ocean:/home/markus# ls -ald /var/lib/firebird2
drwxrwx--- 6 firebird firebird 4096 2007-12-30 00:13 /var/lib/firebird2
ocean:/home/markus# ls -ald /var/lib/firebird2/data
drwxrwx--- 2 firebird firebird 4096 2007-12-30 00:22 /var/lib/firebird2/data
ocean:/home/markus# ls -al /var/lib/firebird2/data/libdbitest
-rw-r--r-- 1 root root 598016 2007-12-30 00:23 /var/lib/firebird2/data/libdbitest
That is, the directories that Debian provided for the database expect
that the process that creates the database files runs as user
firebird. However, the database is created as root:root. As mentioned
previously, I figured this has to do with the process the server runs
in. But:
ocean:/home/markus# less /etc/inetd.conf |grep firebird
gds_db stream tcp nowait firebird /usr/sbin/tcpd /usr/lib/firebird2/bin/fb_inet_server
That is, the server should use the firebird account, not root. So the
permissions appear to be set by the client rather than by the
server. Now I'd like to see what happens if I run the test as
firebird, not as root:
ocean:/home/markus# rm /var/lib/firebird2/data/libdbitest
ocean:/home/markus# su firebird
firebird@ocean:/home/markus$ isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
SQL> lock manager: couldn't set uid to superuser
SQL> connect '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-Permission denied
ocean:/home/markus# ls -al /var/lib/firebird2/data/libdbitest
-rw-r--r-- 1 firebird firebird 598016 2007-12-30 00:36 /var/lib/firebird2/data/libdbitest
Although the database file has been created with the ownership that
I'd expect to be correct, I can't access the database as user
firebird. Weird.
I've also figured that I should be able to create or access databases
if I add myself to the firebird group. I did that (and logged out+in
to let the changes in /etc/group take effect):
markus@ocean:~/prog/libdbi-drivers-0.8.3-pre1$ less /etc/group|grep firebird
firebird:x:108:markus
ocean:/home/markus# exit
exit
markus@ocean:~$ isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-Permission denied
But no luck.
I'm sorry but all this does not make any sense to me. I must be
missing something very obvious.
regards,
Markus
--
Markus Hoenicka
markus.hoenicka@...
(Spam-protected email: replace the quadrupeds with "mhoenicka")
http://www.mhoenicka.de
short version:
Still trying to get the firebird driver for the libdbi-drivers project
(http://libdbi-drivers.sourceforge.net, a database abstraction layer
for C) going. All attempts to do this on FreeBSD resulted in
segfaults, although I managed to create and access databases using the
isql tool. Now I'm trying my luck with Debian, with only infinitesimal
improvements. Again, I can create and access databases with isql (at
least under very peculiar circumstances), but all attempts to do so
with libdbi result in permission problems, which I'm trying to track
down (see below). The good news is that the test app no longer
crashes, but that's about it. I'm afraid one of the main reasons of my
utter failure is my lack of understanding of how firebird checks
permissions on database files. I hope someone is able to enlighten me.
long version:
Needless to say I've perused the available documentation (especially
OpGuide.pdf) to get an understanding of permissions. I was under the
impression that the account the server runs in, and the permissions of
the database and the directory that holds it determine whether or not
I can access a database, in addition to the username and the
password. But I must be missing something important as this does not
quite pan out. At first some system information (fresh Debian Etch
install):
markus@ocean:~/prog/libdbi-drivers-0.8.3-pre1$ uname -a
Linux ocean 2.6.18-5-486 #1 Fri Jun 1 00:07:22 UTC 2007 i686 GNU/Linux
I installed firebird2-super-server (1.5.3.4870-12) as a package:
markus@ocean:~$ su root
Password:
ocean:/home/markus# isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-No such file or directory
SQL> quit;
ocean:/home/markus# su firebird
firebird@ocean:/home/markus$ isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-No such file or directory
That is, the super-server is not doing me any good, neither as
root nor as user firebird. Next I tried the classic server (also
1.5.3.4870-12 from a package):
markus@ocean:~$ su root
Password:
ocean:/home/markus# isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
SQL> connect /var/lib/firebird2/data/libdbitest;
Commit current transaction (y/n)?y
Committing.
Database: /var/lib/firebird2/data/libdbitest, User: SYSDBA
SQL> show tables;
There are no tables in this database
This looks ok so far. I can create a database and access it using the
database superuser account running from root.
The weird thing are the ownerships and permissions:
ocean:/home/markus# ls -ald /var/lib/firebird2
drwxrwx--- 6 firebird firebird 4096 2007-12-30 00:13 /var/lib/firebird2
ocean:/home/markus# ls -ald /var/lib/firebird2/data
drwxrwx--- 2 firebird firebird 4096 2007-12-30 00:22 /var/lib/firebird2/data
ocean:/home/markus# ls -al /var/lib/firebird2/data/libdbitest
-rw-r--r-- 1 root root 598016 2007-12-30 00:23 /var/lib/firebird2/data/libdbitest
That is, the directories that Debian provided for the database expect
that the process that creates the database files runs as user
firebird. However, the database is created as root:root. As mentioned
previously, I figured this has to do with the process the server runs
in. But:
ocean:/home/markus# less /etc/inetd.conf |grep firebird
gds_db stream tcp nowait firebird /usr/sbin/tcpd /usr/lib/firebird2/bin/fb_inet_server
That is, the server should use the firebird account, not root. So the
permissions appear to be set by the client rather than by the
server. Now I'd like to see what happens if I run the test as
firebird, not as root:
ocean:/home/markus# rm /var/lib/firebird2/data/libdbitest
ocean:/home/markus# su firebird
firebird@ocean:/home/markus$ isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/data/libdbitest';
SQL> lock manager: couldn't set uid to superuser
SQL> connect '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-Permission denied
ocean:/home/markus# ls -al /var/lib/firebird2/data/libdbitest
-rw-r--r-- 1 firebird firebird 598016 2007-12-30 00:36 /var/lib/firebird2/data/libdbitest
Although the database file has been created with the ownership that
I'd expect to be correct, I can't access the database as user
firebird. Weird.
I've also figured that I should be able to create or access databases
if I add myself to the firebird group. I did that (and logged out+in
to let the changes in /etc/group take effect):
markus@ocean:~/prog/libdbi-drivers-0.8.3-pre1$ less /etc/group|grep firebird
firebird:x:108:markus
ocean:/home/markus# exit
exit
markus@ocean:~$ isql-fb -user SYSDBA -pass ***
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect '/var/lib/firebird2/data/libdbitest';
Statement failed, SQLCODE = -902
operating system directive semget failed
-Permission denied
But no luck.
I'm sorry but all this does not make any sense to me. I must be
missing something very obvious.
regards,
Markus
--
Markus Hoenicka
markus.hoenicka@...
(Spam-protected email: replace the quadrupeds with "mhoenicka")
http://www.mhoenicka.de