| Subject | Re: SuperServer on Gentoo doesn't start any more |
|---|---|
| Author | skoczian |
| Post date | 2008-01-20T09:42:59Z |
--- In firebird-support@yahoogroups.com, Emil Totev <emilt@...>
wrote:
that didn't work (= didn't start the server). Changing the sysdba
password via gsec _and_ in the /etc/conf.d/firebird text file works.
But even if that file belongs to user firebird and isn't readable
for everybody: to me that looks like a big security hole. Is it or
isn't it? I'm no security expert at all, but why put lots of work
into the security database, if that would be enough?
ISC_PASSWORD variable seems to be needed when _starting_ the server.
But at this point I might have overlooked something. It's no real
help that the server _always_ says it couldn't start and sometimes
it's true, but not always.
used (the script exports them - getting them
from /etc/conf.d/firebird, even if I can't quite see how).
server, with 'masterkey' or with another SYSDBA password. But to be
able to do this, I have to write this password as plain text into a
text file. That's no real problem for me (local database, shouldn't
be reachable from the net), but I don't think it's a good idea. And
at the moment I'm unable to put this point of view convincingly into
the Gentoo bugzilla. The bug has just been closed for the second
time. That's what really bothers me.
wrote:
>works
> >This can't be good, can it? It's a fact that the start script
> >if and only if the sysdba password starts with 'masterke'.What's
> >the right way to correct this? Deleting ISC_PASSWORDthat is
> >in /etc/conf.d/
> >firebird and "export ISC_PASSWORD" in the start
> >script?
>
> For sure the startup of firebird does not care about the sysdba
> password. It used to be required for _stopping_ the server, but
> not the case since 2.0. At least the 'standard' rpm binarydistribution
> from the firebird site doesn't need it.I tried with commenting out "ISC_PASSWORD" in the start script, and
>
that didn't work (= didn't start the server). Changing the sysdba
password via gsec _and_ in the /etc/conf.d/firebird text file works.
But even if that file belongs to user firebird and isn't readable
for everybody: to me that looks like a big security hole. Is it or
isn't it? I'm no security expert at all, but why put lots of work
into the security database, if that would be enough?
> One thing you can tell from the startup script is that thefirebird root
> directory is /usr/lib/firebird, that's where the security databaseis
> supposed to be.That's right. And it is found. I don't really understand why the
>
ISC_PASSWORD variable seems to be needed when _starting_ the server.
But at this point I might have overlooked something. It's no real
help that the server _always_ says it couldn't start and sometimes
it's true, but not always.
> Actually it seems to me this script would be unable to _stop_firebird
> 2.0 - fbmgr.bin -shut _requires_ the -user and -password switchesto
> stop the server.I suppose at this point the ISC_USER and ISC_PASSWORD variables are
>
used (the script exports them - getting them
from /etc/conf.d/firebird, even if I can't quite see how).
> Unfortunatley I don't know a thing about Gentoo so I can't tellyou
> more. And to me it looks like a gentoo-specific start/stop scriptissue.
>Yes, it is. At the moment it's like this: I can start and stop the
server, with 'masterkey' or with another SYSDBA password. But to be
able to do this, I have to write this password as plain text into a
text file. That's no real problem for me (local database, shouldn't
be reachable from the net), but I don't think it's a good idea. And
at the moment I'm unable to put this point of view convincingly into
the Gentoo bugzilla. The bug has just been closed for the second
time. That's what really bothers me.