| Subject | Re: [firebird-support] Firebird sysdba account |
|---|---|
| Author | Niben M Singh |
| Post date | 2008-08-15T16:27:18Z |
Thanks Thomas!
I played with FB more as you suggested and now I am more confused (which I easily do), or may be I am missing something (which I often do :)).
So here is what I tried -
1. Created new user in my FB server using GSEC.
2. Created brand new database using the new user, using ISQL.
3. Then I ran your ROLE query to give my new login SYSDBA role.
4. And, as you had said, it sure did lock SYSDBA user out. I could only connect to the database using my new user.
5. Then I created another user in the FB server and tried to connect to the database. Surprisingly, the another user was granted access to the database.
Seems like even though we lock the SYSDBA out of the database as you mentioned. One can always copy the database into different server and create some other user, other than SYSDBA, and use that user to access the database.
Please let me know what I have missed here.
Thanks,
Niben
I played with FB more as you suggested and now I am more confused (which I easily do), or may be I am missing something (which I often do :)).
So here is what I tried -
1. Created new user in my FB server using GSEC.
2. Created brand new database using the new user, using ISQL.
3. Then I ran your ROLE query to give my new login SYSDBA role.
4. And, as you had said, it sure did lock SYSDBA user out. I could only connect to the database using my new user.
5. Then I created another user in the FB server and tried to connect to the database. Surprisingly, the another user was granted access to the database.
Seems like even though we lock the SYSDBA out of the database as you mentioned. One can always copy the database into different server and create some other user, other than SYSDBA, and use that user to access the database.
Please let me know what I have missed here.
Thanks,
Niben
--- On Thu, 8/14/08, Thomas Steinmaurer <ts@...> wrote:
From: Thomas Steinmaurer <ts@...>
Subject: Re: [firebird-support] Firebird sysdba account
To: firebird-support@yahoogroups.com
Date: Thursday, August 14, 2008, 1:26 PM
> So that means, like Thomas had said
> "Pretty simple, don't use SYSDBA as owner for deployment!! !"
> will not work.
It will work in regard to no need to share SYSDBA with other
applications, fiddling around with the password of this "shared" user
... :-)
Once you have moved your database and the objects inside to another
owner, you can lock SYSDBA out by:
* Connect with the new owner to the database
* Execute:
INSERT INTO RDB$ROLES
(RDB$ROLE_NAME, RDB$OWNER_NAME)
VALUES
('SYSDBA', <your connected owner>);
COMMIT;
Not a bullet-proof lock out thingy though, but it eliminates e.g.
connections via SYSDBA by accident during development, ...
--
Best Regards,
Thomas Steinmaurer
LogManager Series - Logging/Auditing Suites supporting
InterBase, Firebird, Advantage Database, MS SQL Server and
NexusDB V2
Upscene Productions
http://www.upscene. com
My blog:
http://blog. upscene.com/ thomas/
[Non-text portions of this message have been removed]