I am working with InterBase 2020 version. Since InterBase installs with default user SYSDBA and default password for SYSDBA as masterkey , I want to change the password for SYSDBA user.
Using gsec tool I am able to change the password however when I backup the database and restore it on different machine having SYSDBA password as masterkey , I am able to do this successfully.
So even if I have changed the password on my machine , InterBase db backup (with changed SYSDBA password) could be restored on a machine having SYSDBA password as masterkey.
Where is the security in this case and How could I prevent this ?
Is Embedded User Authentication a solution to prevent unauthorized users restoring the database ?
You have to activate Embedded User Authentication in your Database. So you can define different SYSDBA per Database with different password.
Related
When I try anything in isql, I get the message:
Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.
unable to open database
When I try to create the user I still get the message:
C:\Program Files\Firebird\Firebird_3_0>gsec -user sysdba -password masterkey
use gsec -? to get help
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
unable to open database
But I am the administrator, and I installed it.
How do I create the user SYSDBA in Firebird?
The combination of the "Your user name and password are not defined. Ask your database administrator to set up a Firebird login." with "unable to open database" does not mean the SYSDBA account does not exist, it means that the Firebird process was unable to open the security database to perform authentication.
This can happen if you installed Firebird in C:\Program Files, and you are running the Firebird server as an application (instead of as a service) and UAC is enabled, or you are running as a service, but the user account running the service has insufficient rights to read and write to the security3.fdb file.
You either need to run Firebird as a service (e.g. as configured by the installer), or - if you really want to run Firebird as an application - install Firebird outside of C:\Program Files.
How do I create the user SYSDBA in Firebird?
Connect to any database (security.db or employee) in embedded mode using user name SYSDBA (password is not needed in this mode) and issue SQL command "CREATE USER" as described in Firebird Language Reference.
You can learn more about embedded mode from Firebird 3.0 Release Notes.
I am unable to make Firebird forget the old password for default user. I have installed Firebird version 3.0.4 on my local computer. I have tried to change the default password masterkey to another one via gsec tool. First I have logged in into this tool with command:
gsec -user sysdba -password masterkey -database "C:\Program Files\Firebird\Firebird_3_0\security3.fdb"
And then with command modify I have set next password:
modify sysdba -pw qwerty12
The issue is that now I can login into sysdba account with both passwords, the old masterkey password and the new one qwerty12 password. How can I make the Firebird to forget the old default password?
The problem is not that Firebird remembers the default password, the problem is that Firebird stores a password per authentication plugin, and SYSDBA happens to exist for two (or possibly more) authentication plugins.
To fix this, you must either drop the SYSDBA account for one of the authentication plugins, or change its password. Dropping the SYSDBA account is, unfortunately, rather hard to do for the Legacy_Auth plugin (you need to manually delete it from the security database, see at the end of this answer).
Assuming the standard Firebird install (which has authentication plugins Srp and Legacy_Auth), you need to do the following to change the password (note: I'm assuming that the problematic account is the one for Legacy_Auth, not Srp):
In firebird.conf, setting UserManager ensure both user managers are listed:
UserManager = Srp, Legacy_UserManager
Restart Firebird
Change the password for both plugins
alter user SYSDBA password '<new password>' using plugin Srp;
alter user SYSDBA password '<new password>' using plugin Legacy_UserManager;
Keep in mind: the legacy authentication plugin truncates passwords at 8 characters.
If you want to prevent authentication using the Legacy_Auth plugin entirely, then edit the firebird.conf and remove Legacy_Auth from the AuthServer setting (also check databases.conf if the database has a custom configuration).
I have asked a question on the firebird-devel mailing list about the inability to drop the Legacy_Auth SYSDBA account. The answer I got was that historically it was impossible to delete the SYSDBA account in older Firebird versions, so the Legacy_UserManager plugin explicitly disallows deleting SYSDBA (while Srp allows it). The workaround is to connect directly to the security database, and delete the user manually from the PLG$USERS table (which contains the Legacy_Auth users, Srp users are in PLG$SRP):
delete from plg$users where plg$user_name = 'SYSDBA';
You can connect to the security database using isql -user sysdba -password <yourpassword> security.db (assuming the security.db alias is defined in databases.conf, otherwise use the full path to your security3.fdb).
A slightly more obscure alternative would be to define a mapping that maps an authentication as SYSDBA using Legacy_Auth to a different (unprivileged) user (eg GUEST):
create global mapping NO_LEGACY_SYSDBA
using plugin Legacy_Auth
from user sysdba to user guest;
To drop the SYSDBA account for the Srp plugin, you only need to execute (as admin):
drop user SYSDBA using plugin Srp;
I am launching postgres conatainer by placing sql script in docker-initdb. Everything is running fine. But can someone tell what's the password of my database created with below script?
CREATE DATABASE mydb;
CREATE USER mydbadmin WITH ENCRYPTED PASSWORD 'mypwd';
ALTER DATABASE mydb owner to mydbadmin;
GRANT ALL PRIVILEGES ON DATABASE mydb TO mydbadmin;
GRANT CONNECT ON DATABASE mydb to mydbadmin;
I am not providing any explicit password for DB. What would be default password in this case?
How can I provide my explicit password?
A database cannot have a password.
Only roles (users) can authenticate with the PostgreSQL server, so only they can have a password.
Database has no password, users have passwords. There is no "default password" (i guess that means new users would have pre-set password)
User mydbadmin has the password you have set. Other users will have the password you set when you CREATE USER
Make sure you have necessary settings in pg_hba.conf
I compiled Postgresql 9.5.3 and then installed it (Windows). I called initdb, then started the server. It created a user with name of the Windows user. It allows login without or with incorrect password. How to specify a password? ALTER USER test WITH PASSWORD 'x'; does not work.
I am trying to set my local postgresql so it does not have a password. I understand that this has to be done in the pg_hba.conf file and to acceess that file I have to be a postgres user. But to be a postgres user, I have to login with su postgres and enter the password that I don't have.
Any solution to this (I am on OSX)?
You're confusing several different concepts about the security model.
There is a postgres operating system user, which the PostgreSQL server runs as in order to isolate its data files and to limit damage in case of a security breach or application bug. PostgreSQL won't run as root for security. This user doesn't generally have a password, but you can change to it via the root account using sudo - you can sudo to this user with something like sudo -i -u postgres.
There is also a postgres database user, the default database superuser. This user doesn't generally have a password by default, but pg_hba.conf allows the postgres operating system user to connect as the postgres PostgreSQL user using peer authentication.
If you want you can change the configuration so that you use a password for the postgres database user, so you can psql -U postgres from any system user account:
ALTER USER postgres WITH ENCRYPTED PASSWORD 'blahblah';
Edit pg_hba.conf ("hba" is "host-based authentication") to use md5 authentication for local and host connections.
Re-start or re-load PostgreSQL
Similarly, if you want to allow any system user to connect as any database user without a password, you must modify pg_hba.conf and set trust as the authentication mode for local and host connection types. Please only use trust authentication for testing.
To learn more, see the client authentication chapter in the PostgreSQL documentation.