I have Firebird 2.5 and I need to extract all user and privileges as DDL to export to another Firebird database.
For example, I need get the script for user max
"Create user max FIRSTNAME 'Max' LASTNAME 'Power' Grant admin option";
I use IB Expert, but did not find this option to extract the DDL.
Tools -> Grants/Rights Manager -> Toolbar -> Save -> To Script Executive
Alternatively, go to the Tools -> Extract Metadata -> Settings and down there check the "extract grants" checkbox.
You also have to remember that users themselves do not exist in the database (only grants do), users they exist in the server, not the database.
See how to display and set user rights in firebird database
Also see GSEC documentation:
http://www.destructor.de/firebird/gsec.htm
https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/gsec/firebird-gsec.html#gsec-batch
gsec -user sysdba -password <password> -database <databasename> -display - a command like that should display all the users registered with the server used to connect to the database. It would be trivial to take the user list and add the create user command to every one.
There is one more niche case that Firebird might have no any users, borrowing them from the host operating system. It is called "Trusted Authentication" mode. If GSEC would show no users or too few ones - check authentication settings in the relevant firebird.conf, maybe you would have to dump users list from Windows, not from Firebird.
https://www.firebirdsql.org/rlsnotesh/rnfb210-wintrusted.html
https://github.com/FirebirdSQL/firebird/blob/master/doc/README.trusted_authentication
Related
I just installed PostgreSQL 13 on Windows 11. When I run the command psql by default it uses the user aaron, the name of my Windows user account. However, it asks me for a password. I have tried all passwords associated with my Windows account as well as the default password I set for the user postgres, none of which worked. I was able to log in with psql -U postgres, and I ran the command \du, and there was only one role in the list, postgres. Later I created the role aaron without specifying a password, but it still asks for a password.
So, did the user aaron exist initially or not? If not, then how was it the default user when I ran the psql command? What is the password for this user?
So, did the user aaron exist initially or not
No, it did not. The only user that is created when installing Postgres (or more precisely: when running initdb) is postgres.
If not, then how was it the default user when I ran the psql command
Quote from the manual
The default user name is your operating-system user name, as is the default database name
psql simply uses the operating system user as the default username to connect to the server. It knows nothing about the database user(s) until it tries to connect with a specific username and potentially password.
You can set a different default through the (Windows) environment variable PGUSER
Later I created the role aaron without specifying a password, but it still asks for a password.
Whether or not a password is required is controlled through pg_hba.conf
When you run psql command and don't provide a username it considers (that the current system user which in your case is aaron) is the user you want to use to login and hence you see a user which really don't exists.
Now regarding the password you might want to check a file generally named as pg_hba.conf which hold the essentials of who can connect (IPs) what username can he have and should that user be asked for password.
Now generally you will find answers saying that find this file and write down trust everywhere (which basically means if some specific user from a specific IP access this database of replication then don't ask for a password and let him enter), which you should not do until and unless you are utterly sure the postgresql server is just just local and has no real-time purpose.
So concluding you want to create a user with some encrypted password and then provide necessary privilege.
P.S: I have tried all these on a linux machine, but the server configurations are more or less same.
It's worth pointing out that PostgreSQL has it's own users and permissions independent of the OS. Some installers will automatically create a postgres OS user. I'm not sure what Windows does.
It seems that PostgreSQL can do Windows authentication. See this question for details on how to configure that.
As #a_horse_with_no_name has said, connection configuration is controlled by pg_hba.conf
PostgreSQL tries not to leak information about its users, so the failed-authentication attempt is not given much information about why it failed.
If you look in the server's log file, rather than the clients, you should first see messages about 'aaron' failing to authenticate because the user does not existing, and then (after you create it) about it failing to authenticate because it has no password assigned.
When you created the user, you should have assigned it a password if you wanted to use a password. Or as a superuser in psql, create it without a password and then assign one with \password aaron That way the password won't be visible on the screen, or in the log files.
To give a concise, direct answer:
right click on Windows icon and click “System”.
scroll down to “Advanced System Settings”.
click Environment Variables.
in “System variables”, click “New”.
Set Variable Name to PGUSER and Variable Value to postgres.
Or, in cmd: set PGUSER=postgres, which also sets it globally.
go to "Services" (in Task Manager), and restart the "postgresql-X64" service.
In a newly created database, I don't get any error message when I log in with the wrong user and password (the users TTT and AAA don't even exist)
[root#fewww bin]# ./isql /opt/db/treewww/ftree.db -user ttt -password bbb;
Database: /opt/db/treewww/ftree.db, User: TTT
SQL> exit;
[root#fewww bin]# ./isql /opt/db/treewww/ftree.db -user aaa -password ccc;
Database: /opt/db/treewww/ftree.db, User: AAA
SQL> SELECT rdb$get_context('SYSTEM', 'ENGINE_VERSION') from rdb$database;
RDB$GET_CONTEXT
===============================================================================
3.0.2
At the same time, I get a 'regular' error message in another database when I use the wrong login credentials:
[root#fewww bin]# ./isql /opt/db/testwww/ftest.db -user aaa -password ddd
Statement failed, SQLSTATE = 08001
I/O error during "lock" operation for file "/opt/db/testwww/ftest.db"
-Database already opened with engine instance, incompatible with current
Use CONNECT or CREATE DATABASE to specify a database
Could you please explain the matter?
You only specify a path to the database, and not a hostname, and as a result, isql uses the Firebird Embedded database engine to open and access the database, and not the Firebird server. Since Firebird 3, Firebird Embedded no longer verifies passwords on Linux (it never did this on Windows, and now Linux follows the same rule), see also the Firebird 3 Release Notes.
This applies the assumption that if a user has direct read and write access to the database file, then they are allowed to open it. The specified username is still used, to apply the privileges granted to that user, and given no passwords are checked, any username is considered valid. Such a user probably won't have sufficient privileges to do much except query system tables, unless you have granted privileges to that username or to the user PUBLIC.
The second error you show likely means that the database was opened by another application using a different Firebird engine (e.g. a Firebird server process in SuperServer mode), or possibly your user and that process don't have the same access rights to lockfiles (not 100% sure about this). You could try connecting through localhost to see if you can access the database that way: isql localhost:/opt/db/testwww/ftest.db -user aaa -password ddd.
When I try anything in isql, I get the message:
Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.
unable to open database
When I try to create the user I still get the message:
C:\Program Files\Firebird\Firebird_3_0>gsec -user sysdba -password masterkey
use gsec -? to get help
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
unable to open database
But I am the administrator, and I installed it.
How do I create the user SYSDBA in Firebird?
The combination of the "Your user name and password are not defined. Ask your database administrator to set up a Firebird login." with "unable to open database" does not mean the SYSDBA account does not exist, it means that the Firebird process was unable to open the security database to perform authentication.
This can happen if you installed Firebird in C:\Program Files, and you are running the Firebird server as an application (instead of as a service) and UAC is enabled, or you are running as a service, but the user account running the service has insufficient rights to read and write to the security3.fdb file.
You either need to run Firebird as a service (e.g. as configured by the installer), or - if you really want to run Firebird as an application - install Firebird outside of C:\Program Files.
How do I create the user SYSDBA in Firebird?
Connect to any database (security.db or employee) in embedded mode using user name SYSDBA (password is not needed in this mode) and issue SQL command "CREATE USER" as described in Firebird Language Reference.
You can learn more about embedded mode from Firebird 3.0 Release Notes.
I am unable to make Firebird forget the old password for default user. I have installed Firebird version 3.0.4 on my local computer. I have tried to change the default password masterkey to another one via gsec tool. First I have logged in into this tool with command:
gsec -user sysdba -password masterkey -database "C:\Program Files\Firebird\Firebird_3_0\security3.fdb"
And then with command modify I have set next password:
modify sysdba -pw qwerty12
The issue is that now I can login into sysdba account with both passwords, the old masterkey password and the new one qwerty12 password. How can I make the Firebird to forget the old default password?
The problem is not that Firebird remembers the default password, the problem is that Firebird stores a password per authentication plugin, and SYSDBA happens to exist for two (or possibly more) authentication plugins.
To fix this, you must either drop the SYSDBA account for one of the authentication plugins, or change its password. Dropping the SYSDBA account is, unfortunately, rather hard to do for the Legacy_Auth plugin (you need to manually delete it from the security database, see at the end of this answer).
Assuming the standard Firebird install (which has authentication plugins Srp and Legacy_Auth), you need to do the following to change the password (note: I'm assuming that the problematic account is the one for Legacy_Auth, not Srp):
In firebird.conf, setting UserManager ensure both user managers are listed:
UserManager = Srp, Legacy_UserManager
Restart Firebird
Change the password for both plugins
alter user SYSDBA password '<new password>' using plugin Srp;
alter user SYSDBA password '<new password>' using plugin Legacy_UserManager;
Keep in mind: the legacy authentication plugin truncates passwords at 8 characters.
If you want to prevent authentication using the Legacy_Auth plugin entirely, then edit the firebird.conf and remove Legacy_Auth from the AuthServer setting (also check databases.conf if the database has a custom configuration).
I have asked a question on the firebird-devel mailing list about the inability to drop the Legacy_Auth SYSDBA account. The answer I got was that historically it was impossible to delete the SYSDBA account in older Firebird versions, so the Legacy_UserManager plugin explicitly disallows deleting SYSDBA (while Srp allows it). The workaround is to connect directly to the security database, and delete the user manually from the PLG$USERS table (which contains the Legacy_Auth users, Srp users are in PLG$SRP):
delete from plg$users where plg$user_name = 'SYSDBA';
You can connect to the security database using isql -user sysdba -password <yourpassword> security.db (assuming the security.db alias is defined in databases.conf, otherwise use the full path to your security3.fdb).
A slightly more obscure alternative would be to define a mapping that maps an authentication as SYSDBA using Legacy_Auth to a different (unprivileged) user (eg GUEST):
create global mapping NO_LEGACY_SYSDBA
using plugin Legacy_Auth
from user sysdba to user guest;
To drop the SYSDBA account for the Srp plugin, you only need to execute (as admin):
drop user SYSDBA using plugin Srp;
How do I change a user's password in Postgresql (using PgAdmin) so that I can connect with Rails to the Postgres database using these credentials?
So far: In PgAdmin I right clicked the database name, clicked Create Script and then typed the command:
CREATE USER usr1 WITH PASSWORD 'pwd1!##$';
Question: where exactly in PgAdmin am I able to see the user and password or list of users and passwords? So far I am unable to see this in Db properties --> 'privileges'?? Any tips on other security elements? or something that can be improved in my current methods? Thanks a lot.
In the file "pgpass.conf" in this path:
C:\Users\[User's name]\AppData\Roaming\postgresql
Login roles are common for all databases in a server. You can see them in the bottom of the object browser (left panel).
To execute arbitrary SQL query open Query tool (Ctrl-E) from Tools in main menu or click on icon with 'SQL' (previously you have to select a database).
To change user password execute SQL:
ALTER ROLE username PASSWORD 'newpassword'
ALTER USER is an alias for ALTER ROLE. Read about it in documentation.
Run the query from pgadmin:
SELECT rolname, rolpassword FROM pg_authid;
This requires superuser privileges to protect the password.