| Firebird Documentation Index → Gsec - Password File Utility → Gsec caveats |
|
|
|
The following is a brief list of gotchas and funnies that I have detected in my own use of gsec. Some of these are mentioned above, others may not be. By collecting them all here in one place, you should be able to find out what's happening if you have problems.
Only a privileged user can update the security database. Normal users can run the gsec utility, but can only list the contents under Firebird 1.5. The following shows what happens when trying to update the database when running gsec as a normal user.
C:\>gsec -user norman -password norman GSEC> add myuser -pw mypassword add record error no permission for insert/write access to TABLE USERS
A normal users can only display details from the security database.
C:\>gsec -user norman -password norman -display
user name uid gid full name
------------------------------------------------------------------------
SYSDBA 0 0
NORMAN 0 0 Norman Dunbar
EPOCMAN 0 0 Benoit Gilles MasciaFrom Firebird version 2 onwards, there are slight changes to the above. Normal users are now able to change their own passwords and can no longer display details of other users that may be present in the security database.
The above user, running under Firebird 2.0 would see the following :
C:\>gsec -user norman -password norman -display
user name uid gid full name
------------------------------------------------------------------------
NORMAN 0 0 Norman DunbarThe gsec commands apply to both modes of operation, however, when running in batch mode, you must prefix the command name with a minus sign (-) or you will get an error message similar to the following :
C:\>gsec -user sysdba -password masterkey display invalid parameter, no switch defined error in switch specifications GSEC>
Note also that you will be left in interactive mode when an error
occurs. The correct command line should have a minus in front of the
display command, as follows :
C:\>gsec -user sysdba -password masterkey -display
user name uid gid full name
------------------------------------------------------------------------
SYSDBA 0 0
NORMAN 0 0 Norman Dunbar
EPOCMAN 0 0 Benoit Gilles MasciaThis time, gsec performed its duties, displayed all known users and quit from the utility.
If environment variables ISC_USER and
ISC_PASSWORD have been defined, and this isn't a very
good idea for security reasons, gsec can be
run without passing the -user or
-password options.
As with all of the command line utilities, it is best to use the version of the gsec utility that was supplied with your database.
When running gsec under windows, you
can trap the exit code in %ERRORLEVEL% and check it to
determine the success or failure of the last command executed.
When your operating system is Unix - whatever flavour - the exit
code is to be found in the $? variable.
Unfortunately, using the version of gsec supplied with Firebird 1.5, it appears that gsec always exits with a zero and this makes it quite unsuitable to build into a properly error trapped batch script on either system. Sad but true.
From version 2.0 of Firebird, this has been corrected and an exit code of zero indicates success while non-zero values indicate failures.
Sometimes, when running in batch mode, an error condition in gsec will result in gsec switching over to interactive mode. This is not very useful if you started gsec in batch mode from a script, because your script will just sit there waiting on something to be typed.
Up until Firebird 2.0, running any of the Firebird utilities with a password supplied on the command line meant that anyone logged on to the same server could call ps -efx|grep -i pass (or similar) and be able to see the SYSDBA or other passwords. From Firebird 2.0 this is no longer possible as Firebird now replaces the supplied password with spaces.
|
| Firebird Documentation Index → Gsec - Password File Utility → Gsec caveats |