[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1929
  • Last Modified:

Firebird SYSDBA security issues.

Good day

I am worried about database security issues.
I have just install my app and database at a client site. I am worried someone can copy my database and install fireibird on his/her machine
and then overite ths SYSDBA password and see all my metadtaa and procedures.

How can I protect my databases SYSDBA username and how can I hide all my procedures in my database, I dont want someone how have copied my database to see the procedures.

I know their are laws that can protect the data and etc..... but I want to protect my databases.

Please if it is possible , can someone show me good examples on how to protect my database and my security2.gdb file.

Thank you
Henry
0
henryreynolds
Asked:
henryreynolds
  • 7
  • 6
  • 2
  • +1
1 Solution
 
kacorretiredCommented:
Hi Henry,

1. You have to install your server and the database on a well controlled machine which other people can't access on. By this way you can reserve the whole control over the database so the metadata too.
2. If I know rigth in the newest FireBird versions external person can't change the owner rigths without knowing the login name and password.
3. If you write stored procedures to solve completely the job the whole database will be hidden for the users.

wbr Janos
0
 
NickUpsonCommented:
you can delete the SP code from the database by deleting it from the system tables (BACKUP FIRST AS NOT RECOVERABLE), it will continue to work as when you save an SP it is converted to BLR internallly and that is saved as well.
0
 
henryreynoldsAuthor Commented:
Hi thank you for the reply,
NickUpson you also helped me last week with RC5 issues, thank you again.....

Which system tables data must I delete ?
And each time if I recomplie a procedure, must I delete the system table again ?.

What about SYSDBA username and password, I changed the password, but I see if I reinstall firebird then I can get access to the database by using SYSDBA masterkey again. I dont want someone to get access to the database ever, even if he isntall a new copy of firebird.

Thank you
Henry
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
NickUpsonCommented:
- Which system tables data must I delete ?

It's an update to blank the fields that hold the human-readable version, I'll have to look it out

- And each time if I recomplie a procedure, must I delete the system table again ?.

once it's done you cannot edit the procedure as the human-readble version no longer exists. to make a change you would have to modify the existing SP and then do the update to remove the readable code again

- What about SYSDBA username and password, I changed the password, but I see if I reinstall firebird then I can get access to the database by using SYSDBA masterkey again. I dont want someone to get access to the database ever, even if he isntall a new copy of firebird.

there is currently no way to do this
0
 
henryreynoldsAuthor Commented:
Thank you NickUpson

Will you let me know what field is the update field. And must I just update that field to null.

Thanx
Henry
0
 
NickUpsonCommented:
TAKE A BACKUP FIRST, better yet take several

What you can do is delete your procedure and trigger source code.
update rdb$procedures
set rdb$procedure_source = null
where rdb$procedure_name not starting with 'RDB$';

update rdb$triggers
set rdb$triggere_source = null
where rdb$trigger_name not starting with 'RDB$';

but bear in mind that BLR can be reverse engineered it'sjust most people won't bother.
0
 
henryreynoldsAuthor Commented:
Hi NickUpson

Thank you I am increasing the points, because it works 101%.

I just want to know, will this cause any problems for me, can I for instance copy the procedures from my pc and compile the procedure on the client server and then run the update statement again to delete all the source ? I am just sceared it will cause a error if a procedure are called from delphi...

Can you maybe also helped me with this issue. How can in one command give access to all users on all procedures and tables.

It must grant all tables and all procedures to all users in my database.

Thanx

Henry
0
 
NickUpsonCommented:
you can extract the SP's, load them into the database, then run the update, the SP's will still work

there is no builtin command to grant access you need to do "grant update on table to username" etc

0
 
rowdy_hCommented:
There are a couple of shortcuts with granting permissions. You can use all in place of the list of permissions to grant for a table. Also you can use public in place of the username to grant them to. However, there's no shortcut that I know of to replace all tables and procedures.
So you can do
grant all on TABLE to public;
grant execute on PROCEDURE to public;

But you have to do this for each table or procedure you want to grant permissions to. Of course you don't have to use both all and public, so if you just want to grant select permissions on a table to anyone you can use
grant select on TABLE to public;

Or if you want to grant all permissions to a certain use you can use
grant all on TABLE to USERNAME;
0
 
NickUpsonCommented:
split points might have been more fair
0
 
henryreynoldsAuthor Commented:
Hi NickUpson , rowdy_h

Sorry I only realize now the comment from rowdy_h, I did not see the comment was done by rowdy_h, I will rectify the problem with expert-exchange.

I am truly sorry rowdy_h, but thank you for your reply, I am so use to getting comment from NickUpson always regarding interbase.

Thank you all

Henry
0
 
rowdy_hCommented:
No problem, easy mistake to make as Nick ws giving most of the answers :)
0
 
henryreynoldsAuthor Commented:
Hi rowdy_h

Thank you for understanding, and I am sorry again.

Keep well

Henry
0
 
NickUpsonCommented:
CREATE OR ALTER PROCEDURE PR_SYS_GRANTALL
AS
  declare variable result Varchar(64);
  declare variable stmt Varchar(100);
begin
/*
Author   : Nick Upson
Date     : 25/10/2006
Purpose  : grant correct permissions to all tables and procedures
*/
FOR SELECT R.RDB$RELATION_NAME
FROM RDB$RELATIONS R
WHERE R.RDB$SYSTEM_FLAG = 0
AND NOT EXISTS ( SELECT * FROM RDB$USER_PRIVILEGES P
                  WHERE R.RDB$RELATION_NAME = P.RDB$RELATION_NAME
                    AND P.RDB$USER = 'PUBLIC' )
INTO :result
DO
BEGIN
    STMT = 'GRANT ALL ON ' || result || ' TO PUBLIC';
    EXECUTE STATEMENT :STMT;
END

FOR SELECT R.RDB$PROCEDURE_NAME
    FROM RDB$PROCEDURES R
    WHERE NOT EXISTS ( SELECT * FROM RDB$USER_PRIVILEGES P
                        WHERE R.RDB$PROCEDURE_NAME = P.RDB$RELATION_NAME
                          AND P.RDB$USER = 'PUBLIC' )
INTO :result
DO
BEGIN
    STMT = 'GRANT EXECUTE ON ' || result || ' TO PUBLIC';
    EXECUTE STATEMENT :STMT;
END
end
0
 
NickUpsonCommented:
oops typo in first one

CREATE OR ALTER PROCEDURE PR_SYS_GRANTALL
AS
  declare variable result Varchar(64);
  declare variable stmt Varchar(100);
begin
/*
Author   : Nick Upson
Date     : 25/10/2006
Purpose  : grant correct permissions to all tables and procedures
*/
FOR SELECT R.RDB$RELATION_NAME
FROM RDB$RELATIONS R
WHERE R.RDB$SYSTEM_FLAG = 0
AND NOT EXISTS ( SELECT * FROM RDB$USER_PRIVILEGES P
                  WHERE R.RDB$RELATION_NAME = P.RDB$RELATION_NAME
                    AND P.RDB$USER = 'PUBLIC' )
INTO :result
DO
BEGIN
    STMT = 'GRANT ALL ON ' || result || ' TO PUBLIC';
    EXECUTE STATEMENT :STMT;
END

FOR SELECT R.RDB$PROCEDURE_NAME
    FROM RDB$PROCEDURES R
    WHERE NOT EXISTS ( SELECT * FROM RDB$USER_PRIVILEGES P
                        WHERE R.RDB$PROCEDURE_NAME = P.RDB$RELATION_NAME
                          AND P.RDB$USER = 'PUBLIC' )
INTO :result
DO
BEGIN
    STMT = 'GRANT EXECUTE ON PROCEDURE ' || result || ' TO PUBLIC';
    EXECUTE STATEMENT :STMT;
END
end
0
 
henryreynoldsAuthor Commented:
Hi NickUpson

Thank you, How can I open this question again and split the points ?
hank you

Henry
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now