2. Firebird DBA
Installation and common DB operation
Server, Account Management
Troubleshooting
Security and Audit
Backup and Restore
Some Firebird SQL tools
3. Installation
There are 2 main types of builds: the “Superserver” and
the “Classic server”. We went for the Superserver
because it scales better with higher number of
connections (although it lacks SMP support).
FirebirdSS-1.5.4.4910-0.i686.tar.gz
extract the tarball
4. [chinsan@GST scripts]$ diff -ruN preinstall.sh.orig preinstall.sh
--- preinstall.sh.orig 2007-10-17 15:14:19.000000000 +0800
+++ preinstall.sh 2007-10-17 15:15:05.000000000 +0800
@@ -214,22 +214,6 @@
}
-#------------------------------------------------------------------------
-# Check for presence of editor 'ex'
-
-checkForEx() {
- ex <<EOS >/dev/null 2>&1
-q
-EOS
- if [ $? -ne 0 ]
- then
- echo quot;+------------------- ERROR -----------------------+quot;
- echo quot;| Your system miss editor 'ex'. |quot;
- echo quot;| Please install it before running setup program. |quot;
- echo quot;+-------------------------------------------------+quot;
- exit 127
- fi
-}
#== Main Pre =================================================================
@@ -239,7 +223,6 @@
ArchiveDateTag=`date +quot;%Y%m%d_%H%Mquot;`
ArchiveMainFile=quot;${FBRootDir}_${ArchiveDateTag}.tar.gzquot;
- checkForEx
# Ok so any of the following packages are a problem
# these don't work at least in the latest rpm manager, since it
5. Server
Start Server
service firebird start
or su -c quot;fbmgr -startquot; firebird
or su -c quot;fbmgr -start -forever -password SYSDBApasswordquot;
firebird
Stop Server
service firebird stop
or su -c quot;fbmgr -shut -password SYSDBApasswordquot; firebird
6. Account management
the default admin username:password pair for Firebird is SYSDBA:masterkey.
In fact, it’s ‘masterke’ as only the first 8 characters are checked.
It is STRONGLY recommended that you change the SYSDBA password with:
% gsec -user SYSDBA -pass masterkey
GSEC> modify SYSDBA -pw newpassword
GSEC> quit
before doing anything serious with Firebird.
Add user:
% gsec
GSEC> add myuser -pass mypassword
GSEC> quit
Forget password?
If you still have SYSDBA password, it’s easy as SYSDBA can alter password of any
user. If not, you need to replace the security.fdb with a clean one (where you know
the password).
8. gsec
Explanation of gsec switches:
-user should always be SYSDBA
-pass SYSDBA password
-mo modify user
-add add user
-del delete user
-pw password for user
9. Common DB operation(1)
interactive shell: isql
In isql, every SQL statement must end with a semicolon(;). if forgot the semicolon,
just type it after CON> prompt.
databse connection:
Note: Server name and path
SQL> connect hostname:”/path/to/employee.fdb” user ‘SYSDBA’ password ‘SYSDBApassword’;
Important:
If you run Classic Server on Linux, a fast, direct local connection is attempted if the database path does not
start with a hostname. This may fail if your Linux login doesn’t have sufficient access rights to the database file.
In that case, connect to localhost:/<path>. Then the server process (with Firebird 1.5 usually running as firebird)
will open the file. On the other hand, network-style connections may fail if a user created the database in
Classic local mode and the server doesn’t have enough access rights.
If you run Classic Server on Windows, you must specify a hostname (which may be localhost) plus a full path,
or the connection will fail.
10. Common DB operation(2)
quit:
SQL> QUIT;
In the CREATE DATABASE statement the quotes around path string, username,
and password are mandatory. This is different from the CONNECT statement. ie.
SQL>CREATE DATABASE 'D:datatest.fdb' page_size 8192
CON>user 'SYSDBA' password 'masterkey';
11. Troubleshooting
“semget failed”?
make sure that the lock manager is not running and its semaphores have been removed. The former can
be accomplished with 'ps ax|grep fb' and 'kill'; the latter with 'ipcs -s' and 'ipcrm -s'.
“Statement failed, SQLCODE = -551 no permission for read-write access to xxoo
database”?
the server process doesn't have read or write access to the database file.
# chown firebird:firebird xxoo.fdb
“page xxx os of wrong type”?
a)backup
b)Fix database:
1)gfix -v -f database.gdb
2)gfix -m -i database.gdb
or restore database
More FAQ on http://www.firebirdfaq.org/
14. How to hide list of users/
passwords?
When you rename USERS table and create USERS view instead of it, you will allow users to modify their passwords as well as hide full list of users from PUBLIC. Each
user (except SYSDBA) will see only one (its own) record in isc4.gdb! New isc4.gdb will then look like this (simplified version):
CREATE TABLE USERS2 (
USER_NAME VARCHAR(128),
PASSWD VARCHAR(32) );
CREATE VIEW USERS AS
SELECT *
FROM USERS2
WHERE USER = ''
OR USER = 'SYSDBA'
OR USER = USER_NAME;
GRANT SELECT
ON USERS
TO PUBLIC;
GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME)
ON USERS
TO PUBLIC;
Real table USERS2 is visible only to SYSDBA. The condition
USER = USER_NAME
ensures that each user sees its own record. The condition
USER = 'SYSDBA'
ensures that SYSDBA can see all records. The condition
USER = ''
is important because USER variable contains empty string during password verification!
You can look at full script to modify standard isc4.gdb here .
15. How to log login-attempts?
http://www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm#_ibisc4_log
16. How to slow down intruders?
Once we are able to log who/when tried to login to database, we can use this information to
further restrict access. It is possible to e.g. count number of login attempts for given username
during last minute and refuse connection if this number is too high, thus effectively preventing
using brute force to break into database by scanning all possible passwords. So when
somebody tries to guess password by trying to login with different password combinations, it will
temporarily block that username from login; for this reason time interval and allowed login count
should be carefuly chosen to slow down intruder, but still do not restrict regular users too much
(e.g. when somebody just make typo in password). Similar system (more sophisticated, of
course) is used in OpenVMS OS. The relevant part of code in SP is as simple as this
DECLARE VARIABLE cnt INTEGER;
SELECT COUNT(*)
FROM log_table
WHERE uname=:un
AND tstamp>CURRENT_TIMESTAMP-0.0007
INTO :cnt;
IF (cnt>=3) THEN EXIT;
where you can change constants 3 (allowed number of mistakes) and 0.0007 (approximately 1
minute). Full script is here. This procedure works (i.e. prevents access) for all users. One
possible modification would be to choose one user (different than SYSDBA, because it is the
most endangered username) that is not restriced by that procedure, and that owns all
databases (and thus has rights to shutdown the database).
17. How to get a list of all roles
in a database?
Query the RDB$ROLES system table:
SELECT * FROM RDB$ROLES
18. How to get a list of roles
granted to a user?
You need to query the RDB$PRIVILEGES system
table. The following example shows all users and roles
granted to them:
SELECT u.RDB$USER, u.RDB$RELATION_NAME
FROM RDB$USER_PRIVILEGES u
WHERE u.RDB$PRIVILEGE = 'M'
ORDER BY 1, 2
19. Does Firebird support field-level
access rights?
Yes, it does for writing new values (UPDATE statements). To control the rights, use the GRANT and REVOKE statements:
GRANT UPDATE ON table1(field1) TO USER1;
REVOKE UPDATE ON table2(field2) TO USER2;
If you wish to limit users to certain fields when reading (SELECT), a common way is to use views:
create view v1 (limited column list)
as
select limited,column,list
from t1;
And then grant user SELECT rights only for the view. With views, you can also limit which records (rows) can user see:
create view v1 (column,list)
as
select column,list
from t1
where ...constraining clause...;
If you need really complex rules, you can setup up a stored procedure that would return NULLs for some columns to specific users.
20. Firebird Technical
Specifications
Database limits & Data Type Specifics:
http://www.firebirdsql.org/index.php?op=guide&id=techspec
gds_db 3050/tcp
#InterBase Database Remote Protocol
21. Backup & Restore
GBAK is Firebird’s command line tool for online
backup and restore of a complete database.
General syntax:
gbak <options> -user <username> -password <password> <source> <destination>
Backup:
For backups, <source> is the database you want to back up, <destination> is the file name of the backup file.
The usual extension is .,k for Firebird and .gbk for InterBase.
Only SYSDBA or the database owner can perform a backup. For multi-file databases, specify only the name of
the first file as the database name.
Backup a database into a compressed format:
gbak -b db-srv://database.fdb /dev/stdout | gzip > /file.fbk.gz
22. Restore
Restore:
For restores, <source> is the backup file and <destination> is the name of the database that is to be built up
from the backup file. You will have to specify the -C option for restore.
Restore a database into new filename:
zcat /file.fbk.gz | gbak -c /dev/stdin db-srv://new-database.fdb
Multi-file backup and restore: man gbak
23. commonly used extensions
Note that filename extensions used here are just recommended. Using unified extensions scheme helps guess
file type just by looking at its extension.
.fdb Firebird database
.gdb Firebird database, legacy extension from the
days when Fire-bird was Interbase. gdb actually
comes from Grotton database, named after the
company that created the software.
.fdb.2 Second file of multi-file database
.fdb.3 Third file of multi-file database
.fdb.N N-th file of multi-file database
.,k Firebird backup file
.gbk Legacy extension for backup file
24. Some Firebird SQL tool
EMS SQL Manager for InterBase/Firebird
http://www.sqlmanager.net/en/products/ibfb/manager/download/
FlameRobin: another GUI tool, open source.
http://www.flamerobin.org/
ibWebAdmin: web frontend for the Firebird and
InterBase database servers, written in PHP
http://www.ibwebadmin.net/