Subject Re: [firebird-support] permission woes on Debian
Author Helen Borrie
Post date 2007-12-30T06:09:57Z
At 11:32 AM 30/12/2007, you wrote:
>Hi
>
>short version:
>
>Still trying to get the firebird driver for the libdbi-drivers project
>(http://libdbi-drivers.sourceforge.net, a database abstraction layer
>for C) going. All attempts to do this on FreeBSD resulted in
>segfaults, although I managed to create and access databases using the
>isql tool. Now I'm trying my luck with Debian, with only infinitesimal
>improvements. Again, I can create and access databases with isql (at
>least under very peculiar circumstances), but all attempts to do so
>with libdbi result in permission problems, which I'm trying to track
>down (see below). The good news is that the test app no longer
>crashes, but that's about it. I'm afraid one of the main reasons of my
>utter failure is my lack of understanding of how firebird checks
>permissions on database files. I hope someone is able to enlighten me.
>
>long version:
>
>Needless to say I've perused the available documentation (especially
>OpGuide.pdf) to get an understanding of permissions. I was under the
>impression that the account the server runs in, and the permissions of
>the database and the directory that holds it determine whether or not
>I can access a database, in addition to the username and the
>password. But I must be missing something important as this does not
>quite pan out. At first some system information (fresh Debian Etch
>install):
>
>markus@ocean:~/prog/libdbi-drivers-0.8.3-pre1$ uname -a
>Linux ocean 2.6.18-5-486 #1 Fri Jun 1 00:07:22 UTC 2007 i686 GNU/Linux
>
>I installed firebird2-super-server (1.5.3.4870-12) as a package:
>
>markus@ocean:~$ su root
>Password:
>ocean:/home/markus# isql-fb -user SYSDBA -pass ***
>Use CONNECT or CREATE DATABASE to specify a database
>SQL> create database '/var/lib/firebird2/data/libdbitest';
>Statement failed, SQLCODE = -902

That style of connection won't work with Superserver. It's requesting a local connection, which is available ONLY to Classic using the embedded server client libfbembed.so.


>operating system directive semget failed
>-No such file or directory
>SQL> quit;
>ocean:/home/markus# su firebird
>firebird@ocean:/home/markus$ isql-fb -user SYSDBA -pass ***
>Use CONNECT or CREATE DATABASE to specify a database
>SQL> create database '/var/lib/firebird2/data/libdbitest';
>Statement failed, SQLCODE = -902
>
>operating system directive semget failed
>-No such file or directory
>
>That is, the super-server is not doing me any good, neither as
>root nor as user firebird.

Use the IP address or localhost.

>Next I tried the classic server (also
>1.5.3.4870-12 from a package):
>
>markus@ocean:~$ su root
>Password:
>ocean:/home/markus# isql-fb -user SYSDBA -pass ***
>Use CONNECT or CREATE DATABASE to specify a database
>SQL> create database '/var/lib/firebird2/data/libdbitest';
>SQL> connect /var/lib/firebird2/data/libdbitest;
>Commit current transaction (y/n)?y
>Committing.
>Database: /var/lib/firebird2/data/libdbitest, User: SYSDBA
>SQL> show tables;
>There are no tables in this database
>
>This looks ok so far. I can create a database and access it using the
>database superuser account running from root.

Here you are connecting directly to the database *file* via libfbembed.so. The firebird user is not involved here: only root or a user with rw on the file and rwx on the directory will obtain this access.

>The weird thing are the ownerships and permissions:
>
>ocean:/home/markus# ls -ald /var/lib/firebird2
>drwxrwx--- 6 firebird firebird 4096 2007-12-30 00:13 /var/lib/firebird2
>ocean:/home/markus# ls -ald /var/lib/firebird2/data
>drwxrwx--- 2 firebird firebird 4096 2007-12-30 00:22 /var/lib/firebird2/data
>ocean:/home/markus# ls -al /var/lib/firebird2/data/libdbitest
>-rw-r--r-- 1 root root 598016 2007-12-30 00:23 /var/lib/firebird2/data/libdbitest
>
>That is, the directories that Debian provided for the database expect
>that the process that creates the database files runs as user
>firebird.

..which is correct. If you connect to the database as a network client, your server will be a fb_inet_server process instance created by the [x]inetd daemon. The process runs under the user credentials of the firebird user.

>However, the database is created as root:root. As mentioned
>previously, I figured this has to do with the process the server runs
>in.

When you created the database, you must have done so while directly connected in an embedded libfbembed.so process. In that case, the process runs under root and objects created in it are owned by root.

>But:
>
>ocean:/home/markus# less /etc/inetd.conf |grep firebird
>gds_db stream tcp nowait firebird /usr/sbin/tcpd /usr/lib/firebird2/bin/fb_inet_server
>
>That is, the server should use the firebird account, not root.

As it does - when either the client you use is libfbclient.so, or you use the libfbembed.so client with a network connection (in which case only the client part of the library is active and it connects to an fb_inet_server process).

>So the
>permissions appear to be set by the client rather than by the
>server. Now I'd like to see what happens if I run the test as
>firebird, not as root:
>
>
>ocean:/home/markus# rm /var/lib/firebird2/data/libdbitest
>
>ocean:/home/markus# su firebird
>firebird@ocean:/home/markus$ isql-fb -user SYSDBA -pass ***
>Use CONNECT or CREATE DATABASE to specify a database
>SQL> create database '/var/lib/firebird2/data/libdbitest';
>SQL> lock manager: couldn't set uid to superuser
>SQL> connect '/var/lib/firebird2/data/libdbitest';
>Statement failed, SQLCODE = -902
>
>operating system directive semget failed
>-Permission denied
>
>ocean:/home/markus# ls -al /var/lib/firebird2/data/libdbitest
>-rw-r--r-- 1 firebird firebird 598016 2007-12-30 00:36 /var/lib/firebird2/data/libdbitest
>
>Although the database file has been created with the ownership that
>I'd expect to be correct, I can't access the database as user
>firebird. Weird.
>
>I've also figured that I should be able to create or access databases
>if I add myself to the firebird group. I did that (and logged out+in
>to let the changes in /etc/group take effect):
>
>markus@ocean:~/prog/libdbi-drivers-0.8.3-pre1$ less /etc/group|grep firebird
>firebird:x:108:markus
>
>ocean:/home/markus# exit
>exit
>markus@ocean:~$ isql-fb -user SYSDBA -pass ***
>Use CONNECT or CREATE DATABASE to specify a database
>SQL> connect '/var/lib/firebird2/data/libdbitest';
>Statement failed, SQLCODE = -902
>
>operating system directive semget failed
>-Permission denied
>
>But no luck.
>
>I'm sorry but all this does not make any sense to me. I must be
>missing something very obvious.

Yup. Well - it's not VERY obvious if you don't understand the differences between the three server models. So decide which model you want to work with and you should be able to proceed without further frustration.

-- if you install Superserver you can't connect locally at all (other than using the localhost server). The client for SS is libfbclient.so. SS runs under firebird credentials.

-- if you install Classic, you can request fb_inet_server processes via xinetd using a proper network path. Either libfbembed.so or libfbclient.dll can be your client.

-- if libfbembed.so is available, you can run an embedded Classic process that is not an instance of fb_inet_server. This is the only condition where "who you are" on the OS matters.

Keep root out of the picture. If you want to use embedded, create a user that's in the firebird group and always work under those credentials. Make sure that any databases you create in embedded mode have the needed firebird group permissions, including execute rights on the directory. And don't try to log in as a network client when there an embedded process has a database file open.

./heLen