From e6286cff87a199bd9cf35c1b3192072afff6094b Mon Sep 17 00:00:00 2001 From: AlexPeshkoff Date: Thu, 18 Jun 2020 00:03:51 +0300 Subject: [PATCH] Documentation --- doc/README.security_database.txt | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/doc/README.security_database.txt b/doc/README.security_database.txt index 720a3242aa..0bf3ba3ae7 100644 --- a/doc/README.security_database.txt +++ b/doc/README.security_database.txt @@ -1,9 +1,18 @@ Initializing the Security Database ---------------------------------- The security database (security4.fdb) has no predefined users. This is intentional. +Having user with well known predefined password and full access rights is serious security risk. + +Firebird starting with version 3.0 does not require presence of SYSDBA user. One can use another name +for god-like user, have them different per-database or even work without users in security database using +authentication plugins that do not require it. That all is out of scope here: this document describes +step by step how to manually prepare security database for usage similar to what one could see in previous +firebird (and/or interbase) versions. Normally this task is performed by installers but in a case you wish +to perform manual installation or complete failed on creation user installer - this text is for you. + You will need to create the user SYSDBA and set up the password for it using SQL CREATE USER command syntax in embedded mode as your first step to getting -access to databases and utilities. +remote access to databases. Initialization is performed in embedded mode using the isql utility. For an embedded connection, an authentication password is not required and will be ignored if you provide one. An embedded connection will work fine @@ -16,23 +25,25 @@ The SQL user management commands will work with any open database. Because the s is present in your installation and already aliased in databases.conf, it is convenient to use it for the user management task. -1. Stop the Firebird server. Firebird 4 caches connections to the security database aggressively. The presence +1. Stop the Firebird server. Firebird caches connections to the security database aggressively. The presence of server connections may prevent isql from establishing an embedded connection. 2. In a suitable shell, start an isql interactive session, opening the employee database via its alias: > isql -user sysdba employee 3. Create the SYSDBA user: WARNING! Do not just copy and paste! Generate your own strong password! - SQL> create or alter user SYSDBA password 'StrongPassword'; + SQL> create user SYSDBA password 'StrongPassword'; SQL> commit; SQL> quit; WARNING! Do not just copy and paste! Generate your own strong password! 4. To complete the initialization, start the Firebird server again. Now you will be able to perform a network - login to databases, including the security database, using the password you assigned to SYSDBA. + login to databases using login SYSDBA and the password you assigned to it. -An effective password, using the default user manager Srp, can be up to 20 characters, although a password -of up to 255 characters will be valid. +An effective password with authentication plugin Srp can be up to 20 characters, Srp256 provides efficient +passwords up to 32 characters or up to 64 characters when Srp512 is used. At the same time a password of up to +255 characters will be valid but in a case of brute force attack it's highly possible that duplicated password +with length approximately equal to efficient one can be found. The initialization can also be scripted using the file input option of isql with the content being same as interactive usage. > isql -i init.sql -user sysdba employee