Subject Re: [firebird-support] Understanding Firebird Security
Author Mark Rotteveel
On 20-5-2019 12:54, sbailey@... [firebird-support]
>> You cannot do that if you
>> 1) Have no access to the file (and server file system as whole).
>> 2) Don't know password of database owner.
> 1) Yes agreed, you need access to the file - so I have been testing what
> happens if the file does somehow fall into the wrong hands
> 2) In my testing I was able to open MyDB and view its contents *without
> *knowing the owner's password just by making it use my default
> security.fbd and SYSDBA/masterkey.

Which is not surprising, as SYSDBA is the Firebird superuser and it can
do anything it wants.

As with any database system, the security is enforced by the database
server. If you are in control of the database server (the
superuser/admin), then you can do anything you want.

And if you don't have SYSDBA access on a server, but you do have access
to the file system, you can copy the database and transfer it to another
system and access the database there. This applies to any database
system, not just Firebird.

The security enforced by the server is just to enforce that applications
('users') don't exceed their allowed access. But having sufficient
access to the server itself (either Firebird or the underlying
filesystems) allows you to circumvent that.

Mark Rotteveel