firebird-mirror/src/dbs/security.sql

/*
 * The contents of this file are subject to the Interbase Public
 * License Version 1.0 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy
 * of the License at http://www.Inprise.com/IPL.html
 *
 * Software distributed under the License is distributed on an
 * "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express
 * or implied. See the License for the specific language governing
 * rights and limitations under the License.
 *
 * The Original Code was created by Inprise Corporation
 * and its predecessors. Portions created by Inprise Corporation are
 * Copyright (C) Inprise Corporation.
 *
 * All Rights Reserved.
 * Contributor(s): ______________________________________.
 * 
 * 2004.09.14 Alex Peshkoff - security changes, preventing ordinary users
 *		from access to other users crypted passwords and enabling modification
 *		of there own password. Originally suggested by Ivan Prenosil
 *		(see http://www.volny.cz/iprenosil/interbase/ for details).
 */

/* Domain definitions */
CREATE DOMAIN RDB$COMMENT AS BLOB SUB_TYPE TEXT SEGMENT SIZE 80 CHARACTER SET UNICODE_FSS;
CREATE DOMAIN RDB$NAME_PART AS VARCHAR(32) CHARACTER SET UNICODE_FSS DEFAULT _UNICODE_FSS '';
CREATE DOMAIN RDB$GID AS INTEGER;
CREATE DOMAIN RDB$PASSWD AS VARCHAR(64) CHARACTER SET BINARY;
CREATE DOMAIN RDB$UID AS INTEGER;
CREATE DOMAIN RDB$USER_NAME AS VARCHAR(128) CHARACTER SET UNICODE_FSS;
CREATE DOMAIN RDB$USER_PRIVILEGE AS INTEGER;


/*  Table: RDB$USERS */
CREATE TABLE RDB$USERS (
	RDB$USER_NAME 		RDB$USER_NAME NOT NULL PRIMARY KEY,
	/* local system user name for setuid for file permissions */
	RDB$SYS_USER_NAME	RDB$USER_NAME,
	RDB$GROUP_NAME		RDB$USER_NAME,
	RDB$UID 			RDB$UID,
	RDB$GID 			RDB$GID,
	RDB$PASSWD 			RDB$PASSWD NOT NULL,

	/* Privilege level of user - mark a user as having DBA privilege */
	RDB$PRIVILEGE 		RDB$USER_PRIVILEGE,

	RDB$COMMENT 		RDB$COMMENT,
	RDB$FIRST_NAME 		RDB$NAME_PART,
	RDB$MIDDLE_NAME		RDB$NAME_PART,
	RDB$LAST_NAME		RDB$NAME_PART);

COMMIT;

/*  View: USERS. Let's user modify his own password. */
CREATE VIEW USERS (USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD,
		PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME, FULL_NAME) AS 
	SELECT RDB$USER_NAME, RDB$SYS_USER_NAME, RDB$GROUP_NAME, RDB$UID, RDB$GID, RDB$PASSWD, 
		RDB$PRIVILEGE, RDB$COMMENT, RDB$FIRST_NAME, RDB$MIDDLE_NAME, RDB$LAST_NAME, 
		COALESCE (RDB$first_name || _UNICODE_FSS ' ', '') || 
		COALESCE (RDB$middle_name || _UNICODE_FSS ' ', '') || 
		COALESCE (RDB$last_name, '')
	FROM RDB$USERS
	WHERE CURRENT_USER = 'SYSDBA'
	   OR CURRENT_ROLE = 'RDB$ADMIN'
	   OR CURRENT_USER = RDB$USERS.RDB$USER_NAME;

/*	Access rights */
GRANT ALL ON RDB$USERS to VIEW USERS;
GRANT SELECT ON USERS to PUBLIC;
GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME)
	ON USERS TO PUBLIC;

COMMIT;

/*	Needed record - with PASSWD = random + SHA1 (random + 'SYSDBA' + crypt('masterke')) */
INSERT INTO RDB$USERS(RDB$USER_NAME, RDB$PASSWD, RDB$FIRST_NAME, RDB$MIDDLE_NAME, RDB$LAST_NAME)
	VALUES ('SYSDBA', 'NLtwcs9LrxLMOYhG0uGM9i6KS7mf3QAKvFVpmRg=', 'Sql', 'Server', 'Administrator');

COMMIT;
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`/*`
			`* The contents of this file are subject to the Interbase Public`
			`* License Version 1.0 (the "License"); you may not use this file`
			`* except in compliance with the License. You may obtain a copy`
			`* of the License at http://www.Inprise.com/IPL.html`
			`*`
			`* Software distributed under the License is distributed on an`
			`* "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express`
			`* or implied. See the License for the specific language governing`
			`* rights and limitations under the License.`
			`*`
			`* The Original Code was created by Inprise Corporation`
			`* and its predecessors. Portions created by Inprise Corporation are`
			`* Copyright (C) Inprise Corporation.`
			`*`
			`* All Rights Reserved.`
			`* Contributor(s): ______________________________________.`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`*`
			`* 2004.09.14 Alex Peshkoff - security changes, preventing ordinary users`
			`* from access to other users crypted passwords and enabling modification`
			`* of there own password. Originally suggested by Ivan Prenosil`
			`* (see http://www.volny.cz/iprenosil/interbase/ for details).`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`*/`

			`/* Domain definitions */`
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`CREATE DOMAIN RDB$COMMENT AS BLOB SUB_TYPE TEXT SEGMENT SIZE 80 CHARACTER SET UNICODE_FSS;`
			`CREATE DOMAIN RDB$NAME_PART AS VARCHAR(32) CHARACTER SET UNICODE_FSS DEFAULT _UNICODE_FSS '';`
			`CREATE DOMAIN RDB$GID AS INTEGER;`
			`CREATE DOMAIN RDB$PASSWD AS VARCHAR(64) CHARACTER SET BINARY;`
			`CREATE DOMAIN RDB$UID AS INTEGER;`
			`CREATE DOMAIN RDB$USER_NAME AS VARCHAR(128) CHARACTER SET UNICODE_FSS;`
			`CREATE DOMAIN RDB$USER_PRIVILEGE AS INTEGER;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00

Cleanup. 2005-10-19 11:02:04 +02:00			`/* Table: RDB$USERS */`
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`CREATE TABLE RDB$USERS (`
			`RDB$USER_NAME RDB$USER_NAME NOT NULL PRIMARY KEY,`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`/* local system user name for setuid for file permissions */`
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`RDB$SYS_USER_NAME RDB$USER_NAME,`
			`RDB$GROUP_NAME RDB$USER_NAME,`
			`RDB$UID RDB$UID,`
			`RDB$GID RDB$GID,`
fixed SF bug 229237 2005-12-30 17:08:44 +01:00			`RDB$PASSWD RDB$PASSWD NOT NULL,`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`/* Privilege level of user - mark a user as having DBA privilege */`
			`RDB$PRIVILEGE RDB$USER_PRIVILEGE,`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`RDB$COMMENT RDB$COMMENT,`
			`RDB$FIRST_NAME RDB$NAME_PART,`
			`RDB$MIDDLE_NAME RDB$NAME_PART,`
			`RDB$LAST_NAME RDB$NAME_PART);`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`COMMIT;`

let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`/* View: USERS. Let's user modify his own password. */`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`CREATE VIEW USERS (USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD,`
			`PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME, FULL_NAME) AS`
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`SELECT RDB$USER_NAME, RDB$SYS_USER_NAME, RDB$GROUP_NAME, RDB$UID, RDB$GID, RDB$PASSWD,`
			`RDB$PRIVILEGE, RDB$COMMENT, RDB$FIRST_NAME, RDB$MIDDLE_NAME, RDB$LAST_NAME,`
Fixed problem with FullName and nulls 2006-07-25 16:08:26 +02:00			`COALESCE (RDB$first_name \|\| _UNICODE_FSS ' ', '') \|\|`
			`COALESCE (RDB$middle_name \|\| _UNICODE_FSS ' ', '') \|\|`
			`COALESCE (RDB$last_name, '')`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`FROM RDB$USERS`
Better way for server to authenticate itself in security database. 2004-12-19 16:24:59 +01:00			`WHERE CURRENT_USER = 'SYSDBA'`
The merge continued. 2008-01-16 07:33:06 +01:00			`OR CURRENT_ROLE = 'RDB$ADMIN'`
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`OR CURRENT_USER = RDB$USERS.RDB$USER_NAME;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`/* Access rights */`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`GRANT ALL ON RDB$USERS to VIEW USERS;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`GRANT SELECT ON USERS to PUBLIC;`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME)`
			`ON USERS TO PUBLIC;`

			`COMMIT;`

			`/* Needed record - with PASSWD = random + SHA1 (random + 'SYSDBA' + crypt('masterke')) */`
finished rdb$users to match vulcan 2005-10-24 14:30:57 +02:00			`INSERT INTO RDB$USERS(RDB$USER_NAME, RDB$PASSWD, RDB$FIRST_NAME, RDB$MIDDLE_NAME, RDB$LAST_NAME)`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`VALUES ('SYSDBA', 'NLtwcs9LrxLMOYhG0uGM9i6KS7mf3QAKvFVpmRg=', 'Sql', 'Server', 'Administrator');`

			`COMMIT;`