FirebirdSQL logo
  • Home
  • Anglaiskeyboard_arrow_down
 SecuritySQL Statements for User Management 

The security of the entire database depends on identifying a user and verifying its authority, a procedure known as authentication.User authentication can be performed in several ways, depending on the setting of the AuthServer parameter in the firebird.conf configuration file.This parameter contains the list of authentication plugins that can be used when connecting to the server.If the first plugin fails when authenticating, then the client can proceed with the next plugin, etc.When no plugin could authenticate the user, the user receives an error message.

The information about users authorised to access a specific Firebird server is stored in a special security database named {secdb}.Each record in {secdb} is a user account for one user.For each database, the security database can be overridden in the databases.conf file (parameter SecurityDatabase).Any database can be a security database, even for that database itself.

A username, with a maximum length of 63 characters, is an identifier, following the normal rules for identifiers (unquoted case-insensitive, double-quoted case-sensitive).For backwards compatibility, some statements (e.g. isqls CONNECT) accept usernames enclosed in single quotes, which will behave as normal, unquoted identifiers.

The maximum password length depends on the user manager plugin (parameter UserManager, in firebird.conf or databases.conf).Passwords are case-sensitive.The default user manager is the first plugin in the UserManager list, but this can be overridden in the SQL user management statements.For the Srp plugin, the maximum password length is 255 characters, for an effective length of 20 bytes (see also [fblangref50-security-auth-effective-20-bytes]).For the Legacy_UserManager plugin only the first eight bytes of a password are significant;whilst it is valid to enter a password longer than eight bytes for Legacy_UserManager, any subsequent characters are ignored.

Why is the effective password length of SRP 20 bytes?

The SRP plugin does not actually have a 20 byte limit on password length, and longer passwords can be used (with an implementation limit of 255 characters).Hashes of different passwords longer than 20 bytes are also — usually — different.This effective limit comes from the limited hash length in SHA1 (used inside Firebird’s SRP implementation), 20 bytes or 160 bits, and the “pigeonhole principle”.Sooner or later, there will be a shorter (or longer) password that has the same hash (e.g. in a brute force attack).That is why often the effective password length for the SHA1 algorithm is said to be 20 bytes.

The embedded version of the server does not use authentication;for embedded, the filesystem permissions to open the database file are used as authorization to access the database.However, the username, and — if necessary — the role, must be specified in the connection parameters, as they control access to database objects.

SYSDBA or the owner of the database have unrestricted access to all objects of the database.Users with the RDB$ADMIN role have similar unrestricted access if they specify that role when connecting or with SET ROLE.

Specially Privileged Users

In Firebird, the SYSDBA account is a “superuser” that exists beyond any security restrictions.It has complete access to all objects in all regular databases on the server, and full read/write access to the accounts in the security database {secdb}.No user has remote access to the metadata of the security database.

For Srp, the SYSDBA account does not exist by default;it will need to be created using an embedded connection.For Legacy_Auth, the default SYSDBA password on Windows and macOS is “masterkey” — or “masterke”, to be exact, because of the 8-character length limit.

Warning

The default password “masterkey” is known across the universe.It should be changed as soon as the Firebird server installation is complete.

Other users can acquire elevated privileges in several ways, some of which depend on the operating system platform.These are discussed in the sections that follow and are summarised in [fblangref50-security-administrators] and [fblangref50-security-sys-privs].

POSIX Hosts

On POSIX systems, including macOS, the POSIX username will be used as the Firebird Embedded username if username is not explicitly specified.

The SYSDBA User on POSIX

On POSIX hosts, other than macOS, the SYSDBA user does not have a default password.If the full installation is done using the standard scripts, a one-off password will be created and stored in a text file in the same directory as {secdb}, commonly /opt/firebird/.The name of the password file is SYSDBA.password.

Note

In an installation performed by a distribution-specific installer, the location of the security database and the password file may be different from the standard one.