On 20-5-2019 12:54, sbai...@mutualconsultants.ltd.uk [firebird-support] wrote: >> You cannot do that if you >> 1) Have no access to the file (and server file system as whole). >> 2) Don't know password of database owner. > > 1) Yes agreed, you need access to the file - so I have been testing what > happens if the file does somehow fall into the wrong hands > > 2) In my testing I was able to open MyDB and view its contents *without > *knowing the owner's password just by making it use my default > security.fbd and SYSDBA/masterkey.
Which is not surprising, as SYSDBA is the Firebird superuser and it can do anything it wants. As with any database system, the security is enforced by the database server. If you are in control of the database server (the superuser/admin), then you can do anything you want. And if you don't have SYSDBA access on a server, but you do have access to the file system, you can copy the database and transfer it to another system and access the database there. This applies to any database system, not just Firebird. The security enforced by the server is just to enforce that applications ('users') don't exceed their allowed access. But having sufficient access to the server itself (either Firebird or the underlying filesystems) allows you to circumvent that. Mark -- Mark Rotteveel