meta data for this page
  •  

GSEC Caveats

The following is a brief list of gotchas and funnies that I have detected in my own use of gsec. Some of these are mentioned above, others may not be. By collecting them all here in one place, you should be able to find out what's happening if you have problems.

Normal versus privileged users

Only a privileged user can update the security database. Normal users can run the gsec utility, but can only list the contents under Firebird 1.5. The following shows what happens when trying to update the database when running gsec as a normal user.

C:\>gsec -user norman -password norman
GSEC> add myuser -pw mypassword
add record error
no permission for insert/write access to TABLE USERS

A normal user can only display details from the security database.

C:\>gsec -user norman -password norman -display
     user name                 uid   gid       full name
------------------------------------------------------------------------
SYSDBA                         0     0
NORMAN                         0     0         Norman Dunbar
EPOCMAN                        0     0         Benoit Gilles Mascia

Note: From Firebird version 2 onwards, there are slight changes to the above. Normal users are now able to change their own passwords and can no longer display details of other users that may be present in the security database.

The above user, running under Firebird 2.0 would see the following:

C:\>gsec -user norman -password norman -display
     user name                 uid   gid       full name
------------------------------------------------------------------------
NORMAN                         0     0         Norman Dunbar

back to top of page

Differences between batch and interactive mode

The gsec commands apply to both modes of operation, however, when running in batch mode, you must prefix the command name with a minus sign (-) or you will get an error message similar to the following:

C:\>gsec -user sysdba -password masterkey display
invalid parameter, no switch defined
error in switch specifications
GSEC>

Note also that you will be left in interactive mode when an error occurs. The correct command line should have a minus in front of the display command, as follows:

C:\>gsec -user sysdba -password masterkey -display
     user name                 uid   gid       full name
------------------------------------------------------------------------
SYSDBA                         0     0
NORMAN                         0     0         Norman Dunbar
EPOCMAN                        0     0         Benoit Gilles Mascia

This time, gsec performed its duties, displayed all known users and quit from the utility.

Warning: If environment variables ISC_USER and ISC_PASSWORD have been defined, and this isn't a very good idea for security reasons, gsec can be run without passing the -user or -password options.

Warning: As with all of the command-line utilities, it is best to use the version of the gsec utility that was supplied with your database.

back to top of page

Batch mode exit codes

When running gsec under windows, you can trap the exit code in %ERRORLEVEL% and check it to determine the success or failure of the last command executed.

When your operating system is Unix - whatever flavour - the exit code is to be found in the $? variable.

Unfortunately, using the version of gsec supplied with Firebird 1.5, it appears that gsec always exits with a zero and this makes it quite unsuitable to build into a properly error-trapped batch script on either system. Sad but true.

Note: From version 2.0 of Firebird, this has been corrected and an exit code of zero indicates success while nonzero values indicate failures.

back to top of page

Errors in batch mode swap to interactive mode

Sometimes, when running in batch mode, an error condition in gsec will result in gsec switching over to interactive mode. This is not very useful if you started gsec in batch mode from a script, because your script will just sit there waiting on something to be typed.

back to top of page

Potential security problems

Up until Firebird 2.0, running any of the Firebird utilities with a password supplied on the command line meant that anyone logged on to the same server could call ps -efx|grep -i pass (or similar) and be able to see the SYSDBA or other passwords. From Firebird 2.0 this is no longer possible as Firebird now replaces the supplied password with spaces.