Re: [firebird-support] Understanding Firebird Security
On 20-5-2019 12:54, sbai...@mutualconsultants.ltd.uk [firebird-support]
wrote:
>> You cannot do that if you
>> 1) Have no access to the file (and server file system as whole).
>> 2) Don't know password of database owner.
>
> 1) Yes agreed, you need access to the file - so I have been testing what
> happens if the file does somehow fall into the wrong hands
>
> 2) In my testing I was able to open MyDB and view its contents *without
> *knowing the owner's password just by making it use my default
> security.fbd and SYSDBA/masterkey.
Which is not surprising, as SYSDBA is the Firebird superuser and it can
do anything it wants.
As with any database system, the security is enforced by the database
server. If you are in control of the database server (the
superuser/admin), then you can do anything you want.
And if you don't have SYSDBA access on a server, but you do have access
to the file system, you can copy the database and transfer it to another
system and access the database there. This applies to any database
system, not just Firebird.
The security enforced by the server is just to enforce that applications
('users') don't exceed their allowed access. But having sufficient
access to the server itself (either Firebird or the underlying
filesystems) allows you to circumvent that.
Mark
--
Mark Rotteveel
Re: [firebird-support] Understanding Firebird Security
20.05.2019 12:54, sbai...@mutualconsultants.ltd.uk [firebird-support] wrote: > 2) In my testing I was able to open MyDB and view its contents *without > *knowing the > owner's password just by making it use my default security.fbd and > SYSDBA/masterkey. For this you again must have access to server file system. If you get it, no DBMS can survive, even encrypted one. -- WBR, SD. ++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
Re: [firebird-support] Understanding Firebird Security
Dimitry, > You cannot do that if you > 1) Have no access to the file (and server file system as whole). > 2) Don't know password of database owner. 1) Yes agreed, you need access to the file - so I have been testing what happens if the file does somehow fall into the wrong hands 2) In my testing I was able to open MyDB and view its contents without knowing the owner's password just by making it use my default security.fbd and SYSDBA/masterkey. Steve.
Re: [firebird-support] Understanding Firebird Security
Hello, So, I did understand correctly - anyone can open any Firebird database and view the data (unless it happens to be encrypted). No, not exactly, - you can protect from scenario with replacing security database with a change of database owner (create database under MyUser). I am rather shocked by that. Why? Any database can be opened if you have access to the database file - there are plenty of recovery tools for MSSQL, PostrgeSQL, etc, to dump the contents of the database. Regards, Alexey Kovyazin IBSurgeon On 20.05.2019 13:32, sbai...@mutualconsultants.ltd.uk [firebird-support] wrote: Alexey, thank you for the extremenly quick response. So, I did understand correctly - anyone can open any Firebird database and view the data (unless it happens to be encrypted). I am rather shocked by that. Steve Bailey
Re: [firebird-support] Understanding Firebird Security
20.05.2019 12:32, sbai...@mutualconsultants.ltd.uk [firebird-support] wrote: > anyone can open any Firebird database and view the data (unless it happens to > be encrypted). Yes, and it is true for any database server. -- WBR, SD. ++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
Re: [firebird-support] Understanding Firebird Security
20.05.2019 12:19, sbai...@mutualconsultants.ltd.uk [firebird-support] wrote: > What stops me taking a copy of SecretDatabase.fdb and connecting to it on my > own Firebird > installation? You cannot do that if you 1) Have no access to the file (and server file system as whole). 2) Don't know password of database owner. -- WBR, SD. ++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
Re: [firebird-support] Understanding Firebird Security
Alexey, thank you for the extremenly quick response. So, I did understand correctly - anyone can open any Firebird database and view the data (unless it happens to be encrypted). I am rather shocked by that. Steve Bailey
Re: [firebird-support] Understanding Firebird Security
Hello, This is the point where I confess to being confused. I presume I am wrong but it looks like any Firebird database has a "public back door". What stops me taking a copy of SecretDatabase.fdb and connecting to it on my own Firebird installation? If you have access to Firebird server and to the database file, you can get a copy of IBSurgeon FirstAID (recovery tool) and view data without any password :) To protect database file in such situation (for example, if you distribute it to the untrusted environment), consider to use encryption - there are ready to use third-party plugins available or you can build your own. Regards, Alexey Kovyazin IBSurgeon Steve Bailey
[firebird-support] Understanding Firebird Security
I am new to Firebird, trying to understand how it handles user security. I want to create a database owned by and accessible to only one user - and that should not be SYSDBA. Let's call the database MyDB. In databases.conf I created an alias for MyDB and specified that it should be its own security database. With the Firebird server NOT running, I did the following in iSQL: - connected to the sample employee database (which uses the standard security3.fdb database) as SYSDBA - created a new user called MyNewUser and set a password - quit iSQL and restarted it as user MyNewUser - created MyDB.fdb in the folder already specified for it in databases.conf (so MyNewUser is the owner of MyDB) - connected to MyDB as user MyNewUser - created a test table and inserted a few test records. Next I started the Firebird server and using a Firebird client (IBExpert) I did this: - attempted to connect to MyDB as user MyNewUser - this was successful - attempted to connect to MyDB as SYSDBA - this was unsuccessful, which is what I was expecting. Next I edited the databases.conf alias for MyDB and removed the SecurityDatabase entry so it would now use the standard security3 database. Now when I attempt to connect as SYSDBA it is successful and I can see the test records that I previously entered. This is the point where I confess to being confused. I presume I am wrong but it looks like any Firebird database has a "public back door". What stops me taking a copy of SecretDatabase.fdb and connecting to it on my own Firebird installation? Steve Bailey
