> SYSDBA still exists though, and even if it is not the owner of the
> database or the objects within. SYSDBA can backup the database. If the
> user does not know the SYSDBA password, then that attack vector is
> minimised (although there is only so much strength in an 8 character
> password).

You need full access to PC, a running firebird server + dongle and
should be able to retrieve user/owner name and password. In this case
you get a working backup file.

If my security needs would be higher/stronger then I would
disable/change the service api for the backup process. Without that my
approach does not need to change the firebird code base.

> I was not talking about your encrypted sandboxed gbak. Have you

There is only a patched version of firebird server. All other tools
including gbak are original one.

> removed the networking code from your custom fbserver? If not, I can
> use ProcessExplorer to see what TCP/IP ports you are listening to. I
> can download the standard gbak from one of the download kits, and
> backup the database through using your fbserver as the proxy. I can

You need a valid connection info to do this.

--
Andreas