On 11/5/20 5:03 PM, Mark Rotteveel wrote:
I just tried to drop the LegacyAuth SYSDBA account from the security
database, but this only results in:
SQL> drop user sysdba using plugin Legacy_UserManager;
Statement failed, SQLSTATE = HY000
delete record error
As the second best option I tried disabling it, but disabling accounts
is not possible with the Legacy_UserManager (or ignored by
LegacyAuth), only with Srp disabling accounts works.
I have no problems dropping SYSDBA with Srp, why is this not possible
with Legacy_UserManager? Am I missing something?
May be the fact that thi is _legacy_ plugin which was never able to drop
SYSDBA.
I also tried gsec, but it looks like gsec in 3.0.7 will always pick
Srp, ignoring the UserManager setting in firebird.conf.
You are wrong here, just rechecked:
# ./gsec -di
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0
QA_USER1 0 0
QA_USER2 0 0
BBB 0 0 admin
QA_USER3 0 0
QA_USER4 0 0
QA_USER5 0 0
GUEST 0 0
SHUT1 0 0
SHUT2 0 0
QATEST 0 0
After changing value in firebird.conf to
UserManager = Legacy_UserManager
# ./gsec -di
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server
Administrator
But this does not help you drop legacy SYSDBA.
As a result, requiring a strong password for SYSDBA (by only using Srp
for admin accounts) is impossible if you also need to be able to
support LegacyAuth for other accounts.
The problem is rather artificial - if one cares about security legacy
plugin to be disabled.
But one can for example:
1. attach to security db embedded and delete SYSDBA record manually
2. create (global) mapping to map unwanted sysdba to something non-admin
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel