POSIX Hosts
On POSIX systems, including macOS, the POSIX username will be used as the Firebird Embedded username if username is not explicitly specified.
On POSIX systems, including macOS, the POSIX username will be used as the Firebird Embedded username if username is not explicitly specified.
SYSDBA
User on POSIXOn POSIX hosts, other than macOS, the SYSDBA user does not have a default password.If the full installation is done using the standard scripts, a one-off password will be created and stored in a text file in the same directory as {secdb}
, commonly /opt/firebird/
.The name of the password file is SYSDBA.password
.
Note
|
In an installation performed by a distribution-specific installer, the location of the security database and the password file may be different from the standard one. |
The root user can act directly as SYSDBA on Firebird Embedded.Firebird will treat root as though it were SYSDBA, and it provides access to all databases on the server.
On the Windows Server operating systems, operating system accounts can be used.Windows authentication (also known as “trusted authentication”) can be enabled by including the Win_Sspi
plugin in the AuthServer
list in firebird.conf
.The plugin must also be present in the AuthClient
setting at the client-side.
Windows operating system administrators are not automatically granted SYSDBA privileges when connecting to a database.To make that happen, the internally-created role RDB$ADMIN
must be altered by SYSDBA or the database owner, to enable it.For details, refer to the later section entitled [fblangref50-security-autoadminmapping].
Note
|
Prior to Firebird 3.0, with trusted authentication enabled, users who passed the default checks were automatically mapped to |
The “owner” of a database is either the user who was CURRENT_USER
at the time of creation (or restore) of the database or, if the USER
parameter was supplied in the CREATE DATABASE
statement, the specified user.
“Owner” is not a username.The user who is the owner of a database has full administrator privileges with respect to that database, including the right to drop it, to restore it from a backup and to enable or disable the [fblangref50-security-autoadminmapping] capability.
USER_MANAGEMENT
System PrivilegeA user with the USER_MANAGEMENT
system privilege in the security database can create, alter and drop users.To receive the USER_MANAGEMENT
privilege, the security database must have a role with that privilege:
create role MANAGE_USERS
set system privileges to USER_MANAGEMENT;
There are two options for the user to exercise these privileges:
Grant the role as a default role.The user will always be able to create, alter or drop users.
grant default MANAGE_USERS to user ALEX;
Grant the role as a normal role.The user will only be able to create, alter or drop users when the role is specified explicitly on login or using SET ROLE
.
grant MANAGE_USERS to user ALEX;
If the security database is a different database than the user connects to — which is usually the case when using {secdb}
— then a role with the same name must also exist and be granted to the user in that database for the user to be able to activate the role.The role in the other database does not need any system privileges or other privileges.
Note
|
The |
RDB$ADMIN
RoleThe internally-created role RDB$ADMIN
is present in all databases.Assigning the RDB$ADMIN
role to a regular user in a database grants that user the privileges of the SYSDBA
, in that database only.
The elevated privileges take effect when the user is logged in to that regular database under the RDB$ADMIN
role, and gives full control over all objects in that database.
Being granted the RDB$ADMIN
role in the security database confers the authority to create, alter and drop user accounts.
In both cases, the user with the elevated privileges can assign RDB$ADMIN
role to any other user.In other words, specifying WITH ADMIN OPTION
is unnecessary because it is built into the role.
RDB$ADMIN
Role in the Security DatabaseSince nobody — not even SYSDBA — can connect to the security database remotely, the GRANT
and REVOKE
statements are of no use for this task.Instead, the RDB$ADMIN
role is granted and revoked using the SQL statements for user management:
CREATE USER new_user PASSWORD 'password' GRANT ADMIN ROLE; ALTER USER existing_user GRANT ADMIN ROLE; ALTER USER existing_user REVOKE ADMIN ROLE;
Note
|
|
Parameter | Description |
---|---|
new_user |
Name for the new user |
existing_user |
Name of an existing user |
password |
User password |
The grantor must be logged in as an administrator.
Warning
|
With Firebird 3.0, gsec was deprecated.It is recommended to use the SQL user management statements instead. |
An alternative is to use gsec with the -admin
parameter to store the RDB$ADMIN
attribute on the user’s record:
gsec -add new_user -pw password -admin yes gsec -mo existing_user -admin yes gsec -mo existing_user -admin no
Note
|
Depending on the administrative status of the current user, more parameters may be needed when invoking gsec, e.g. |
RDB$ADMIN
Role in the Security DatabaseTo manage user accounts through SQL, the user must have the RDB$ADMIN
role in the security database.No user can connect to the security database remotely, so the solution is that the user connects to a regular database.From there, they can submit any SQL user management command.
Contrary to Firebird 3.0 or earlier, the user does not need to specify the RDB$ADMIN
role on connect, nor do they need to have the RDB$ADMIN
role in the database used to connect.
RDB$ADMIN Rights
To perform user management with gsec, the user must provide the extra switch -role rdb$admin
.
RDB$ADMIN
Role in a Regular DatabaseIn a regular database, the RDB$ADMIN
role is granted and revoked with the usual syntax for granting and revoking roles:
GRANT [DEFAULT] RDB$ADMIN TO username REVOKE [DEFAULT] RDB$ADMIN FROM username
Parameter | Description |
---|---|
username |
Name of the user |
To grant and revoke the RDB$ADMIN
role, the grantor must be logged in as an administrator.
RDB$ADMIN
Role in a Regular DatabaseTo exercise their RDB$ADMIN
privileges, the role must either have been granted as a default role, or the grantee has to include the role in the connection attributes when connecting to the database, or specify it later using SET ROLE
.
AUTO ADMIN MAPPING
Windows Administrators are not automatically granted RDB$ADMIN
privileges when connecting to a database (when Win_Sspi
is enabled).The AUTO ADMIN MAPPING
switch determines whether Administrators have automatic RDB$ADMIN
rights, on a database-by-database basis.By default, when a database is created, it is disabled.
If AUTO ADMIN MAPPING
is enabled in the database, it will take effect whenever a Windows Administrator connects:
using Win_Sspi
authentication, and
without specifying any role
After a successful “auto admin” connection, the current role is set to RDB$ADMIN
.
If an explicit role was specified on connect, the RDB$ADMIN
role can be assumed later in the session using SET TRUSTED ROLE
.
To enable and disable automatic mapping in a regular database:
ALTER ROLE RDB$ADMIN
SET AUTO ADMIN MAPPING; -- enable it
ALTER ROLE RDB$ADMIN
DROP AUTO ADMIN MAPPING; -- disable it
Either statement must be issued by a user with sufficient rights, that is:
The database owner
A user with the ALTER ANY ROLE
privilege
Note
|
The statement
is a simplified form of a
Accordingly, the statement
is equivalent to the statement
For details, see [fblangref50-security-mapping] |
In a regular database, the status of AUTO ADMIN MAPPING
is checked only at connect time.If an Administrator has the RDB$ADMIN
role because auto-mapping was on when they logged in, they will keep that role for the duration of the session, even if they or someone else turns off the mapping in the meantime.
Likewise, switching on AUTO ADMIN MAPPING
will not change the current role to RDB$ADMIN
for Administrators who were already connected.
The ALTER ROLE RDB$ADMIN
statement cannot enable or disable AUTO ADMIN MAPPING
in the security database.However, you can create a global mapping for the predefined group DOMAIN_ANY_RID_ADMINS
to the role RDB$ADMIN
in the following way:
CREATE GLOBAL MAPPING WIN_ADMINS
USING PLUGIN WIN_SSPI
FROM Predefined_Group DOMAIN_ANY_RID_ADMINS
TO ROLE RDB$ADMIN;
Additionally, you can use gsec:
gsec -mapping set gsec -mapping drop
Note
|
Depending on the administrative status of the current user, more parameters may be needed when invoking gsec, e.g. |
Only SYSDBA can enable AUTO ADMIN MAPPING
if it is disabled, but any administrator can turn it off.
When turning off AUTO ADMIN MAPPING
in gsec, the user turns off the mechanism itself which gave them access, and thus they would not be able to re-enable AUTO ADMIN MAPPING
.Even in an interactive gsec session, the new flag setting takes effect immediately.
An administrator is a user that has sufficient rights to read, write to, create, alter or delete any object in a database to which that user’s administrator status applies.The table summarises how “superuser” privileges are enabled in the various Firebird security contexts.
User | RDB$ADMIN Role | Comments |
---|---|---|
|
Auto |
Exists automatically at server level.Has full privileges to all objects in all databases.Can create, alter and drop users, but has no direct remote access to the security database |
root user on POSIX |
Auto |
Exactly like |
Superuser on POSIX |
Auto |
Exactly like |
Windows Administrator |
Set as |
Exactly like
|
Database owner |
Auto |
Like |
Regular user |
Must be previously granted;must be supplied at login or have been granted as a default role |
Like |
POSIX OS user |
Must be previously granted;must be supplied at login or have been granted as a default role |
Like |
Windows user |
Must be previously granted;must be supplied at login |
Like |
In addition to granting users full administrative privileges, system privileges make it possible to grant regular users a subset of administrative privileges that have historically been limited to SYSDBA and administrators only.For example:
Run utilities such as gbak, gfix, nbackup and so on
Shut down a database and bring it online
Trace other users' attachments
Access the monitoring tables
The implementation defines a set of system privileges, analogous to object privileges, from which lists of privileged tasks can be assigned to roles.
It is also possible to grant normal privileges to a system privilege, making the system privilege act like a special role type.
The system privileges are assigned through CREATE ROLE
and ALTER ROLE
.
Warning
|
Be aware that each system privilege provides a very thin level of control.For some tasks it may be necessary to give the user more than one privilege to perform some task.For example, add |
The following table lists the names of the valid system privileges that can be granted to and revoked from roles.
USER_MANAGEMENT
|
Manage users (given in the security database) |
READ_RAW_PAGES
|
Read pages in raw format using |
CREATE_USER_TYPES
|
Add/change/delete non-system records in |
USE_NBACKUP_UTILITY
|
Use nbackup to create database copies |
CHANGE_SHUTDOWN_MODE
|
Shut down database and bring online |
TRACE_ANY_ATTACHMENT
|
Trace other users' attachments |
MONITOR_ANY_ATTACHMENT
|
Monitor (tables |
ACCESS_SHUTDOWN_DATABASE
|
Access database when it is shut down |
CREATE_DATABASE
|
Create new databases (given in the security database) |
DROP_DATABASE
|
Drop this database |
USE_GBAK_UTILITY
|
Use gbak utility |
USE_GSTAT_UTILITY
|
Use gstat utility |
USE_GFIX_UTILITY
|
Use gfix utility |
IGNORE_DB_TRIGGERS
|
Instruct engine not to run DB-level triggers |
CHANGE_HEADER_SETTINGS
|
Modify parameters in DB header page |
SELECT_ANY_OBJECT_IN_DATABASE
|
Use |
ACCESS_ANY_OBJECT_IN_DATABASE
|
Access (in any possible way) any object |
MODIFY_ANY_OBJECT_IN_DATABASE
|
Modify (up to drop) any object |
CHANGE_MAPPING_RULES
|
Change authentication mappings |
USE_GRANTED_BY_CLAUSE
|
Use |
GRANT_REVOKE_ON_ANY_OBJECT
|
|
GRANT_REVOKE_ANY_DDL_RIGHT
|
|
CREATE_PRIVILEGED_ROLES
|
Use |
GET_DBCRYPT_INFO
|
Get database encryption information |
MODIFY_EXT_CONN_POOL
|
Use command |
REPLICATE_INTO_DATABASE
|
Use replication API to load change sets into database |
PROFILE_ANY_ATTACHMENT
|
Profile attachments of other users |