A few days ago I started working with firebird on opensuse. When I try open the database by using monodevelop(C#), I get the error message:
"access to database is denied by server administrator"
How can I solve this?
I am using firebird 2,5, opensuse 13.1, and monodevelop.
You are trying to access a database in a location that is not allowed by the server configuration. There are two potential causes:
The value(s) of DatabaseAccess in firebird.conf do not include or explicitly deny the current location of the database.
To fix this you either need to configure an alias and use the alias to connect, move the database to one of the allowed folders, or add an additional location to the configuration entry
the firebird user (the user running the server process) does not have access to the database file.
To fix this you need to make sure that the firebird user of the server process (if connecting through the Firebird server), or your own user (if using embedded) has sufficient access rights to the database.
See also http://www.firebirdfaq.org/faq39/ and http://ibexpert.net/ibe/index.php?n=Doc.ConfiguringFirebird#DatabaseAccess
Related
Probably basic stuff. I'm just trying out DBeaver for the first time to set up a Postgresql database.
I chose new database connection - Postgres
Host: localhost
Database: postgres
Username: postgres and system password ... All connected
but when I right click create new database or schema I get the error
"SQL Error [42501]: ERROR: permission denied to create database
ERROR: permission denied to create database"
Where could I be doing wrong?
User postgres don't have Create Database permission.
You can check list of given permissions from Roles->postgres
Note: By default Super User will have all the permissions but if your's is not Super User then you have to establish connection using Super User and then enable required permissions to Non Super User.
I am using Ubuntu OS. In my case was an issue when trying to save a DUMP on SSD. I solved by following steps:
1st - open ubuntu software
2nd - search for dbeaver-ce
3rd - after installed it, click Permissions
4th - check Read/write files on removable storage devices
Hope it might help someone in the future.
I tried to do the same over several hours yesterday. Apparently, DBeaver doesn't allow the creation of new databases (at least at this version of the software). You can connect to an existing DB and that's about it.
I created a Firebird database by an account other than sysdba. If I put a copy of this db to another machine, I can open it by sysdba account and the 'masterkey' password. Thus this is real risk if some one can take a copy of it.
Is there some way to prevent this scenario?
The user that created a database is "just" the owner of the database, the sysdba user is administrator and is allowed to do anything to all databases on a Firebird server. This is a very good reason to never use masterkey as your password on a production server.
The usernames and passwords in Firebird 2.5 and earlier are stored in a security database (security2.fdb) that is part of the Firebird installation. So moving a database to another server (or replacing the security2.fdb) will allow "unauthorized" persons to access the database. Note that I put unauthorized in quotes here, because if a person has direct file access so they are able to make a copy of the database, or replace the security2.fdb, they have sufficient authorization on your server to do anything they want (or the security of your system has been breached).
In Firebird 3, it will be possible to store users in the database itself, but this still requires server-side configuration, so - as far as I know - this will not restrict much in this scenario. Firebird 3 will also provide support for database encryption which could allow you to only give access on a specific server, or with users that provide a specific key. Unfortunately Firebird 3 only provides the API, but not the encryption. That is left to users or library providers to implement.
There is also a trick to create a role with the name SYSDBA in your database which will prevent a user with username sysdba to connect to the database. But this is easy to circumvent by using a hex editor and some knowledge of the internal structure of a Firebird database to undo this. If the person really wants access to your data, they can also just compile a Firebird server that skips or ignores authentication.
All in all, this means that if someone has direct access to the database file, then they can create a copy and open it on another Firebird install one way or another. So the only real way to protect a database file is to make sure that users can only access the database through the Firebird server, don't have direct access to the database files and - except admins - are not able to create a backup of the database.
Even if users only have access through the server, they can still make a logical copy of the entire database structure, and all data they are allowed to access.
Consider reading Firebird File and Metadata Security
I'm trying to setup a local firebird instance to test against but am unable to connect to it with even ISQL. I have tried to following by following the quick start guide here:
CONNECT ..\examples\empbuild\employee.fdb user SYSDBA password masterkey;
Which resulted in:
Statement failed, SQLSTATE = 08001
unavailable database
After some searching I tried modifying that to:
CONNECT "localhost:C:\Program Files\Firebird\Firebird_2_5\examples\empbuild\employee.fdb" user SYSDBA password masterkey;
Which resulted in:
Statement failed, SQLSTATE = 28000
cannot attach to password database
After confirming I had the right directory path I decided to give on on connecting for now and try creating a new DB:
SQL>CREATE DATABASE 'C:\data\test.fdb' page_size 8192
CON>user 'SYSDBA' password 'masterkey';
Which also gave me the error:
Statement failed, SQLSTATE = 08001
unavailable database
Are there any common pitfalls I might be hitting? I've also tried the commands above both with and without the firebird service running. Also is there a detailed reference on the SQLSTATE codes?
As already mentioned in my comments the problem is caused by running the Firebird server as an application. Firebird has its password database (security2.fdb) in C:\Program Files\Firebird\Firebird_2_5. As this database is (almost, but not entirely) a normal Firebird database, the server requires write access to this database (for the transactions, etc).
By default (with UAC) users do not have write access to the password database, so this requires elevation to Administrator. So access to Firebird requires that you either run the application as a service with sufficient rights (eg as done by the default installer), or when running the server as application to run it 'As administrator'. Another option is to not install it in Program Files.
This BTW applies double when accessing the example employee database as this database file is also located in the Program Files folder.
This is for macOS/OSX (mine is 10.15) firebird ver 2.5 users.
The installation process here does not ask for a sysdba password. Which means: the security database 'security2.fdb' does not exist after a new installation.
This seems to be intentionally for security reasons since > ver 2.5.
To create one, we use the demo database as a helper:
open sql as su: >sudo isql (we don't have user rights on dir)
Connect to a existing db:
sql>connect
"/Library/Frameworks/Firebird.framework/Resources/examples/empbuild/employee.fdb
" user 'SYSDBA' password 'masterkey';
Now we created the missing file 'security2.fdb' in the folder:
"/Library/Frameworks/Firebird.framework/Resources/English.lproj/var/"
(jro)
I create the Entity DB (if file not exists) in C:\Temp\MyDB.mdf using : MyEFContext.CreateDatabase().
I can open the DB with VS Express 2010 and navigate through it but when attempting to adding (Joining) the DB in SSMS i get the following error : Unable to open the physical file "C:\Temp\MyDB.mdf". Operating system error 5: "5(Access is denied.)". (Microsoft SQL Server, Error: 5120)
How can I fix this?
Thanks
This is a rights issue.
In the case where it works you are in the user context of the user account that you logged in with.
In the case where it does not work, it is the user account that the SQL server is running under that is trying to access the file.
Check which account SQL server is using, then give that account access to the files on the temp directory.
I am creating a NTService Application which use an Embeded Firebird database. When i configure the service run as Administrator account, It works ok. But when i run service as default Local System Account, I get below error.
no permission for read/select access to TABLE XXXX
Why is that ? I belive there is no system tables or etc in Firebird single sql file. And Windows xp dont have linux like file permissions. Please help.
Regards
J
While the embedded version doesn't authenticate users (doesn't check the username and password against security2.fdb) it still checks the SQL privileges of the user. This means that you still have to grant proper user rights to the username and/or role you're using when accessing the database. It probably worked for the Administrator account because in version 2.1, members of administrative Windows groups were mapped to SYSDBA by default (and thus had all rights on all databases). This changed in version 2.5, you now have to manually configure this (see release notes).