firebird-mirror/src/dbs/security.sql

/*
 * The contents of this file are subject to the Interbase Public
 * License Version 1.0 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy
 * of the License at http://www.Inprise.com/IPL.html
 *
 * Software distributed under the License is distributed on an
 * "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express
 * or implied. See the License for the specific language governing
 * rights and limitations under the License.
 *
 * The Original Code was created by Inprise Corporation
 * and its predecessors. Portions created by Inprise Corporation are
 * Copyright (C) Inprise Corporation.
 *
 * All Rights Reserved.
 * Contributor(s): ______________________________________.
 * 
 * 2004.09.14 Alex Peshkoff - security changes, preventing ordinary users
 *		from access to other users crypted passwords and enabling modification
 *		of there own password. Originally suggested by Ivan Prenosil
 *		(see http://www.volny.cz/iprenosil/interbase/ for details).
 */

/* Domain definitions */
CREATE DOMAIN COMMENT AS BLOB SUB_TYPE TEXT SEGMENT SIZE 80 CHARACTER SET UNICODE_FSS;
CREATE DOMAIN NAME_PART AS VARCHAR(32) CHARACTER SET UNICODE_FSS DEFAULT _UNICODE_FSS '';
CREATE DOMAIN GID AS INTEGER;
CREATE DOMAIN PASSWD AS VARCHAR(64) CHARACTER SET BINARY;
CREATE DOMAIN UID AS INTEGER;
CREATE DOMAIN USER_NAME AS VARCHAR(128) CHARACTER SET UNICODE_FSS;
CREATE DOMAIN PRIVILEGE AS INTEGER;


/*  Table: RDB$USERS, BG means BackGround */
CREATE TABLE RDB$USERS (USER_NAME USER_NAME,
	/* local system user name for setuid for file permissions */
	SYS_USER_NAME	USER_NAME,
	GROUP_NAME	USER_NAME,
	UID 		UID,
	GID 		GID,
	PASSWD 		PASSWD,

	/* Privilege level of user-mark a user as having DBA privilege */
	PRIVILEGE 	PRIVILEGE,

	COMMENT 	COMMENT,
	FIRST_NAME 	NAME_PART,
	MIDDLE_NAME	NAME_PART,
	LAST_NAME	NAME_PART);

COMMIT;

/*  Index definition users_bg table */
CREATE UNIQUE INDEX RDB$USER_NAME_INDEX ON RDB$USERS(USER_NAME);

/*  View: USERS. Let's user modify his own password. */
CREATE VIEW USERS (USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD,
		PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME, FULL_NAME) AS 
	SELECT USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD, 
		PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME, 
		first_name || _UNICODE_FSS ' ' || middle_name || _UNICODE_FSS ' ' || last_name
	FROM RDB$USERS
	WHERE CURRENT_USER = 'SYSDBA'
	   OR CURRENT_USER = RDB$USERS.USER_NAME;

/*	Access rights */
GRANT ALL ON RDB$USERS to VIEW USERS;
GRANT SELECT ON USERS to PUBLIC;
GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME)
	ON USERS TO PUBLIC;

COMMIT;

/*	Needed record - with PASSWD = random + SHA1 (random + 'SYSDBA' + crypt('masterke')) */
INSERT INTO RDB$USERS(USER_NAME, PASSWD, FIRST_NAME, MIDDLE_NAME, LAST_NAME)
	VALUES ('SYSDBA', 'NLtwcs9LrxLMOYhG0uGM9i6KS7mf3QAKvFVpmRg=', 'Sql', 'Server', 'Administrator');

COMMIT;
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`/*`
			`* The contents of this file are subject to the Interbase Public`
			`* License Version 1.0 (the "License"); you may not use this file`
			`* except in compliance with the License. You may obtain a copy`
			`* of the License at http://www.Inprise.com/IPL.html`
			`*`
			`* Software distributed under the License is distributed on an`
			`* "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express`
			`* or implied. See the License for the specific language governing`
			`* rights and limitations under the License.`
			`*`
			`* The Original Code was created by Inprise Corporation`
			`* and its predecessors. Portions created by Inprise Corporation are`
			`* Copyright (C) Inprise Corporation.`
			`*`
			`* All Rights Reserved.`
			`* Contributor(s): ______________________________________.`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`*`
			`* 2004.09.14 Alex Peshkoff - security changes, preventing ordinary users`
			`* from access to other users crypted passwords and enabling modification`
			`* of there own password. Originally suggested by Ivan Prenosil`
			`* (see http://www.volny.cz/iprenosil/interbase/ for details).`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`*/`

			`/* Domain definitions */`
			`CREATE DOMAIN COMMENT AS BLOB SUB_TYPE TEXT SEGMENT SIZE 80 CHARACTER SET UNICODE_FSS;`
			`CREATE DOMAIN NAME_PART AS VARCHAR(32) CHARACTER SET UNICODE_FSS DEFAULT _UNICODE_FSS '';`
			`CREATE DOMAIN GID AS INTEGER;`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`CREATE DOMAIN PASSWD AS VARCHAR(64) CHARACTER SET BINARY;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`CREATE DOMAIN UID AS INTEGER;`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`CREATE DOMAIN USER_NAME AS VARCHAR(128) CHARACTER SET UNICODE_FSS;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`CREATE DOMAIN PRIVILEGE AS INTEGER;`


let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`/* Table: RDB$USERS, BG means BackGround */`
			`CREATE TABLE RDB$USERS (USER_NAME USER_NAME,`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`/* local system user name for setuid for file permissions */`
			`SYS_USER_NAME USER_NAME,`
			`GROUP_NAME USER_NAME,`
			`UID UID,`
			`GID GID,`
			`PASSWD PASSWD,`

			`/* Privilege level of user-mark a user as having DBA privilege */`
			`PRIVILEGE PRIVILEGE,`

			`COMMENT COMMENT,`
			`FIRST_NAME NAME_PART,`
			`MIDDLE_NAME NAME_PART,`
Better way for server to authenticate itself in security database. 2004-12-19 16:24:59 +01:00			`LAST_NAME NAME_PART);`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`COMMIT;`

			`/* Index definition users_bg table */`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`CREATE UNIQUE INDEX RDB$USER_NAME_INDEX ON RDB$USERS(USER_NAME);`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`/* View: USERS. Let's user modify his own password. */`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`CREATE VIEW USERS (USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD,`
			`PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME, FULL_NAME) AS`
			`SELECT USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD,`
			`PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME,`
			`first_name \|\| _UNICODE_FSS ' ' \|\| middle_name \|\| _UNICODE_FSS ' ' \|\| last_name`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`FROM RDB$USERS`
Better way for server to authenticate itself in security database. 2004-12-19 16:24:59 +01:00			`WHERE CURRENT_USER = 'SYSDBA'`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`OR CURRENT_USER = RDB$USERS.USER_NAME;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`/* Access rights */`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`GRANT ALL ON RDB$USERS to VIEW USERS;`
First steps towards a C++ conversion. 2001-05-23 15:26:42 +02:00			`GRANT SELECT ON USERS to PUBLIC;`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME)`
			`ON USERS TO PUBLIC;`

			`COMMIT;`

			`/* Needed record - with PASSWD = random + SHA1 (random + 'SYSDBA' + crypt('masterke')) */`
let user_name be in unicode_fss in table rdb$users 2005-10-17 19:15:26 +02:00			`INSERT INTO RDB$USERS(USER_NAME, PASSWD, FIRST_NAME, MIDDLE_NAME, LAST_NAME)`
security fix 1. dropped table host_info 2. applied (modified a bit) patch of Ivan Prenosil letting user modify his password 3. expanded PASSWD field to fit new hashes 2004-11-07 15:17:56 +01:00			`VALUES ('SYSDBA', 'NLtwcs9LrxLMOYhG0uGM9i6KS7mf3QAKvFVpmRg=', 'Sql', 'Server', 'Administrator');`

			`COMMIT;`