firebird
DESCRIPTION
A Quick Tutorial for firebird RDMBSTRANSCRIPT
FIREBIRD RDBMSQuick Tutorial
chinsan
Firebird DBA
Installation and common DB operation
Server, Account Management
Troubleshooting
Security and Audit
Backup and Restore
Some Firebird SQL tools
Installation
There are 2 main types of builds: the “Superserver” and the “Classic server”. We went for the Superserver because it scales better with higher number of connections (although it lacks SMP support).
FirebirdSS-1.5.4.4910-0.i686.tar.gzextract the tarball
[chinsan@GST scripts]$ diff -ruN preinstall.sh.orig preinstall.sh--- preinstall.sh.orig 2007-10-17 15:14:19.000000000 +0800+++ preinstall.sh 2007-10-17 15:15:05.000000000 +0800@@ -214,22 +214,6 @@ } -#-------------------------------------------------------------------------# Check for presence of editor 'ex'--checkForEx() {- ex <<EOS >/dev/null 2>&1-q-EOS- if [ $? -ne 0 ]- then- echo "+------------------- ERROR -----------------------+"- echo "| Your system miss editor 'ex'. |"- echo "| Please install it before running setup program. |"- echo "+-------------------------------------------------+"- exit 127- fi-} #== Main Pre =================================================================@@ -239,7 +223,6 @@ ArchiveDateTag=`date +"%Y%m%d_%H%M"` ArchiveMainFile="${FBRootDir}_${ArchiveDateTag}.tar.gz" - checkForEx # Ok so any of the following packages are a problem # these don't work at least in the latest rpm manager, since it
Server
Start Serverservice firebird startor su -c "fbmgr -start" firebirdor su -c "fbmgr -start -forever -password SYSDBApassword" firebird
Stop Serverservice firebird stopor su -c "fbmgr -shut -password SYSDBApassword" firebird
Account management
the default admin username:password pair for Firebird is SYSDBA:masterkey.In fact, it’s ‘masterke’ as only the first 8 characters are checked.
It is STRONGLY recommended that you change the SYSDBA password with:% gsec -user SYSDBA -pass masterkeyGSEC> modify SYSDBA -pw newpasswordGSEC> quit
before doing anything serious with Firebird.
Add user:% gsecGSEC> add myuser -pass mypasswordGSEC> quit
Forget password?If you still have SYSDBA password, it’s easy as SYSDBA can alter password of any user. If not, you need to replace the security.fdb with a clean one (where you know the password).
SYSDBA
bin/changeDBAPassword.sh
/etc/init.d/firebirdISC_PASSWORD=foobar
WARNING: you should not expose the SYSDBA password in a publicly-readable file. So please ensure this file is not world readable. Eventually this file should not need to contain any passwords. As root user alone should be sufficient privilege to stop/start the server.
gsec
Explanation of gsec switches:-user should always be SYSDBA-pass SYSDBA password
-mo modify user-add add user-del delete user-pw password for user
Common DB operation(1)
interactive shell: isqlIn isql, every SQL statement must end with a semicolon(;). if forgot the semicolon, just type it after CON> prompt.
databse connection:Note: Server name and pathSQL> connect hostname:”/path/to/employee.fdb” user ‘SYSDBA’ password ‘SYSDBApassword’;
Important: If you run Classic Server on Linux, a fast, direct local connection is attempted if the database path does not start with a hostname. This may fail if your Linux login doesn’t have sufficient access rights to the database file. In that case, connect to localhost:/<path>. Then the server process (with Firebird 1.5 usually running as firebird) will open the file. On the other hand, network-style connections may fail if a user created the database in Classic local mode and the server doesn’t have enough access rights.If you run Classic Server on Windows, you must specify a hostname (which may be localhost) plus a full path, or the connection will fail.
Common DB operation(2)
quit:SQL> QUIT;
In the CREATE DATABASE statement the quotes around path string, username, and password are mandatory. This is different from the CONNECT statement. ie.
SQL>CREATE DATABASE 'D:\data\test.fdb' page_size 8192CON>user 'SYSDBA' password 'masterkey';
Troubleshooting
“semget failed”?make sure that the lock manager is not running and its semaphores have been removed. The former can be accomplished with 'ps ax|grep fb' and 'kill'; the latter with 'ipcs -s' and 'ipcrm -s'.
“Statement failed, SQLCODE = -551 no permission for read-write access to xxoo database”?the server process doesn't have read or write access to the database file.# chown firebird:firebird xxoo.fdb
“page xxx os of wrong type”?a)backupb)Fix database: 1)gfix -v -f database.gdb 2)gfix -m -i database.gdb or restore database
More FAQ on http://www.firebirdfaq.org/
Security and Audit
shell security
bash:ln -s /dev/null ~/.bash_historyor :> ~/.bash_historyor history -c
csh/tcsh:ln -s /dev/null ~/.historyor :>~/.histroyor hostory -c
How to hide list of users/passwords?
When you rename USERS table and create USERS view instead of it, you will allow users to modify their passwords as well as hide full list of users from PUBLIC. Each user (except SYSDBA) will see only one (its own) record in isc4.gdb! New isc4.gdb will then look like this (simplified version):
CREATE TABLE USERS2 ( USER_NAME VARCHAR(128), PASSWD VARCHAR(32) );
CREATE VIEW USERS AS SELECT * FROM USERS2 WHERE USER = '' OR USER = 'SYSDBA' OR USER = USER_NAME;
GRANT SELECT ON USERS TO PUBLIC;
GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME) ON USERS TO PUBLIC;
Real table USERS2 is visible only to SYSDBA. The condition
USER = USER_NAME
ensures that each user sees its own record. The condition
USER = 'SYSDBA'
ensures that SYSDBA can see all records. The condition
USER = ''
is important because USER variable contains empty string during password verification!You can look at full script to modify standard isc4.gdb here .
How to log login-attempts?
http://www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm#_ibisc4_log
Once we are able to log who/when tried to login to database, we can use this information to further restrict access. It is possible to e.g. count number of login attempts for given username during last minute and refuse connection if this number is too high, thus effectively preventing using brute force to break into database by scanning all possible passwords. So when somebody tries to guess password by trying to login with different password combinations, it will temporarily block that username from login; for this reason time interval and allowed login count should be carefuly chosen to slow down intruder, but still do not restrict regular users too much (e.g. when somebody just make typo in password). Similar system (more sophisticated, of course) is used in OpenVMS OS. The relevant part of code in SP is as simple as this
DECLARE VARIABLE cnt INTEGER;
SELECT COUNT(*) FROM log_table WHERE uname=:un AND tstamp>CURRENT_TIMESTAMP-0.0007 INTO :cnt;
IF (cnt>=3) THEN EXIT;
where you can change constants 3 (allowed number of mistakes) and 0.0007 (approximately 1 minute). Full script is here. This procedure works (i.e. prevents access) for all users. One possible modification would be to choose one user (different than SYSDBA, because it is the most endangered username) that is not restriced by that procedure, and that owns all databases (and thus has rights to shutdown the database).
How to slow down intruders?
How to get a list of all roles in a database?
Query the RDB$ROLES system table:SELECT * FROM RDB$ROLES
How to get a list of roles granted to a user?
You need to query the RDB$PRIVILEGES system table. The following example shows all users and roles granted to them:SELECT u.RDB$USER, u.RDB$RELATION_NAMEFROM RDB$USER_PRIVILEGES uWHERE u.RDB$PRIVILEGE = 'M'ORDER BY 1, 2
Does Firebird support field-level access rights?
Yes, it does for writing new values (UPDATE statements). To control the rights, use the GRANT and REVOKE statements:
GRANT UPDATE ON table1(field1) TO USER1;REVOKE UPDATE ON table2(field2) TO USER2;
If you wish to limit users to certain fields when reading (SELECT), a common way is to use views:
create view v1 (limited column list)asselect limited,column,listfrom t1;
And then grant user SELECT rights only for the view. With views, you can also limit which records (rows) can user see:
create view v1 (column,list)asselect column,listfrom t1where ...constraining clause...;
If you need really complex rules, you can setup up a stored procedure that would return NULLs for some columns to specific users.
Firebird Technical Specifications
Database limits & Data Type Specifics:http://www.firebirdsql.org/index.php?op=guide&id=techspec
gds_db 3050/tcp #InterBase Database Remote Protocol
Backup & Restore
GBAK is Firebird’s command line tool for online backup and restore of a complete database.General syntax:gbak <options> -user <username> -password <password> <source> <destination>
Backup:For backups, <source> is the database you want to back up, <destination> is the file name of the backup file. The usual extension is .,k for Firebird and .gbk for InterBase.Only SYSDBA or the database owner can perform a backup. For multi-file databases, specify only the name of the first file as the database name.
Backup a database into a compressed format:gbak -b db-srv://database.fdb /dev/stdout | gzip > /file.fbk.gz
Restore
Restore:For restores, <source> is the backup file and <destination> is the name of the database that is to be built up from the backup file. You will have to specify the -C option for restore.
Restore a database into new filename:zcat /file.fbk.gz | gbak -c /dev/stdin db-srv://new-database.fdb
Multi-file backup and restore: man gbak
commonly used extensionsNote that filename extensions used here are just recommended. Using unified extensions scheme helps guess file type just by looking at its extension.
.fdb Firebird database
.gdb Firebird database, legacy extension from the days when Fire-bird was Interbase. gdb actually comes from Grotton database, named after the company that created the software..fdb.2 Second file of multi-file database.fdb.3 Third file of multi-file database.fdb.N N-th file of multi-file database.,k Firebird backup file.gbk Legacy extension for backup file
Some Firebird SQL tool
EMS SQL Manager for InterBase/Firebirdhttp://www.sqlmanager.net/en/products/ibfb/manager/download/
FlameRobin: another GUI tool, open source.http://www.flamerobin.org/
ibWebAdmin: web frontend for the Firebird and InterBase database servers, written in PHPhttp://www.ibwebadmin.net/
Reference
Firebird Documentation Sethttp://www.firebirdsql.org/manual/
The Firebird FAQhttp://www.firebirdfaq.org/
Firebird SQL statement and function referencehttp://www.ibphoenix.com/main.nfs?a=ibphoenix&page=ibp_60_sqlref