Security in Firebird 2 (all platforms)

<< The FIREBIRD variable | Firebird 2 Migration & Installation | SQL migration issues >>

Security in Firebird 2 (all platforms)

Be aware of the following changes that introduce incompatibilities with how your existing applications interface with Firebird's security:

Direct connections to the security database are no longer allowed

Apart from the enhancement this offers to server security, it also isolates the mechanisms of authentication from the implementation.

  • User accounts can now be configured only by using the Services API or the gsec utility.
  • For backing up the security database, the Services API is now the only route. You can employ the - se[rvice] hostname:service_mgr switch when invoking the gbak utility for this purpose.

Non-SYSDBA users no longer can see other users' accounts in the security database

A non-privileged user can retrieve or modify only its own account and it can change its own password.

Remote attachments to the server without a login and password are now prohibited

  • For attachments to Superserver, even root trying to connect locally without localhost: in the database file string, will be rejected by the remote interface if a correct login is not supplied.
  • Embedded access without login/password works fine. On Windows, authentication is bypassed. On POSIX, the Unix user name is used to validate access to database files.

The security database is renamed to security2.fdb

If you upgrade an existing installation, be sure to upgrade the security database using the provided script in order to keep your existing user logins.

Before you begin the necessary alterations to commission an existing security database on the Firebird 2.0 server, you should create a gbak backup of your old security.fdb (from v.1.5) or isc4.gdb (from v.1.0) using the old server's version of gbak and then restore it using the Firebird 2.0 gbak.

Important: You must make sure that you restore the security database to have a page size of at least 4 Kb. The new security2.fdb will not work with a smaller page size.

Warning: A simple 'cp security.fdb security2.fdb' will make it impossible to attach to the Firebird server!

For more details see the notes in the chapter on security in the accompanying Release Notes. Also read the file security_database.txt in the upgrade directory beneath the root directory of your installation.

Trusted Authentication on Windows

(v.2.1) On Windows, the default authentication mode is Mixed, which allows operating system users with Local Administrator or Domain Administrator group privileges to attach to databases with "blank" Firebird user name and password.

Warning: If you consider this insecure for your network setup, the change the parameter Authentication in firebird.conf.

back to top of page
<< The FIREBIRD variable | Firebird 2 Migration & Installation | SQL migration issues >>