meta data for this page
GSEC Caveats
The following is a brief list of gotchas and funnies that I have detected in my own use of gsec. Some of these are mentioned above, others may not be. By collecting them all here in one place, you should be able to find out what's happening if you have problems.
Normal versus privileged users
Only a privileged user can update the security database. Normal users can run the gsec utility, but can only list the contents under Firebird 1.5. The following shows what happens when trying to update the database when running gsec as a normal user.
C:\>gsec -user norman -password norman GSEC> add myuser -pw mypassword add record error no permission for insert/write access to TABLE USERS
A normal user can only display details from the security database.
C:\>gsec -user norman -password norman -display
user name uid gid full name
------------------------------------------------------------------------
SYSDBA 0 0
NORMAN 0 0 Norman Dunbar
EPOCMAN 0 0 Benoit Gilles Mascia
Note: From Firebird version 2 onwards, there are slight changes to the above. Normal users are now able to change their own passwords and can no longer display details of other users that may be present in the security database.
The above user, running under Firebird 2.0 would see the following:
C:\>gsec -user norman -password norman -display
user name uid gid full name
------------------------------------------------------------------------
NORMAN 0 0 Norman Dunbar
Differences between batch and interactive mode
The gsec commands apply to both modes of operation, however, when running in batch mode, you must prefix the command name with a minus sign (-) or you will get an error message similar to the following:
C:\>gsec -user sysdba -password masterkey display invalid parameter, no switch defined error in switch specifications GSEC>
Note also that you will be left in interactive mode when an error occurs. The correct command line should have a minus in front of the display command, as follows:
C:\>gsec -user sysdba -password masterkey -display
user name uid gid full name
------------------------------------------------------------------------
SYSDBA 0 0
NORMAN 0 0 Norman Dunbar
EPOCMAN 0 0 Benoit Gilles Mascia
This time, gsec performed its duties, displayed all known users and quit from the utility.
Warning: If environment variables ISC_USER and ISC_PASSWORD have been defined, and this isn't a very good idea for security reasons, gsec can be run without passing the -user or -password options.
Warning: As with all of the command-line utilities, it is best to use the version of the gsec utility that was supplied with your database.
Batch mode exit codes
When running gsec under windows, you can trap the exit code in %ERRORLEVEL% and check it to determine the success or failure of the last command executed.
When your operating system is Unix - whatever flavour - the exit code is to be found in the $? variable.
Unfortunately, using the version of gsec supplied with Firebird 1.5, it appears that gsec always exits with a zero and this makes it quite unsuitable to build into a properly error-trapped batch script on either system. Sad but true.
Note: From version 2.0 of Firebird, this has been corrected and an exit code of zero indicates success while nonzero values indicate failures.
Errors in batch mode swap to interactive mode
Sometimes, when running in batch mode, an error condition in gsec will result in gsec switching over to interactive mode. This is not very useful if you started gsec in batch mode from a script, because your script will just sit there waiting on something to be typed.
Potential security problems
Up until Firebird 2.0, running any of the Firebird utilities with a password supplied on the command line meant that anyone logged on to the same server could call ps -efx|grep -i pass (or similar) and be able to see the SYSDBA or other passwords. From Firebird 2.0 this is no longer possible as Firebird now replaces the supplied password with spaces.