Anomalies between 3 methods of user management regarding valid user names and
passwords
---------------------------------------------------------------------------------------
Key: CORE-3717
URL: http://tracker.firebirdsql.org/browse/CORE-3717
Project: Firebird Core
Issue Type: Bug
Components: Security
Affects Versions: 2.5.1
Environment: We tested on 32-bit Windows but the issues should be
platform-independent.
Reporter: Helen Borrie
1. With CREATE USER, cannot create a user name starting with a numeral, unless
it is double-quoted:
C:\Programs\Firebird\Firebird_2_5>bin\isql empdb -user sysdba -password
masterkey
Database: empdb, User: sysdba
SQL> create user 1234 password 'silence';
Statement failed, SQLSTATE = 42000
Dynamic SQL Error
-SQL error code = -104
-Token unknown - line 1, column 13
-1234
SQL> create user alfred password 'silence';
SQL> create user "1234" password 'silence';
SQL> drop user 1234;
Statement failed, SQLSTATE = 42000
Dynamic SQL Error
-SQL error code = -104
-Token unknown - line 1, column 11
-1234
SQL> drop user "1234";
SQL>
2. Using gsec, can add a user name starting with a numeral but cannot submit a
password using Norwegian characters:
c:\Programs\Firebird\Firebird_2_5\bin>gsec -database babe:secdb -user sysdba
-password masterkey
GSEC> add 1qwerty -pw æøåØ
invalid parameter, no switch defined
error in switch specifications
GSEC> add qwerty -pw æøåØ
invalid parameter, no switch defined
error in switch specifications
GSEC> add qwerty -pw "æøåØ"
invalid parameter, no switch defined
error in switch specifications
GSEC> add qwerty -pw rubberdk
GSEC> display
user name uid gid admin full name
--------------------------------------------------------------------------------
----------------
SYSDBA 0 0 Sql Server Administrator
WOMBAT 0 0 admin Cute Little Marsupial
SETI 0 0 admin Svein Erling Tysvaer
QWERTY 0 0
GSEC> add 1qwerty -pw rubberdk
GSEC> display
user name uid gid admin full name
--------------------------------------------------------------------------------
----------------
SYSDBA 0 0 Sql Server Administrator
WOMBAT 0 0 admin Cute Little Marsupial
SETI 0 0 admin Svein Erling Tysvaer
ALFRED 0 0
QWERTY 0 0
1QWERTY 0 0
GSEC>quit
3. Returning to isql, cannot create a user starting with a numeral, even if
character set is something other than NONE. However, we can submit a password
containing any number of lower and upper case Norwegian characters without
exceptions (even when we have 9 characters):
c:\Programs\Firebird\Firebird_2_5\bin>isql -user sysdba -password masterkey
Use CONNECT or CREATE DATABASE to specify a database
SQL> set names ISO8859_1;
SQL> connect babe:empdb;
Database: babe:empdb, User: sysdba
SQL> create user 2qwerty password 'æøåØ';
Statement failed, SQLSTATE = 42000
Dynamic SQL Error
-SQL error code = -104
-Token unknown - line 1, column 13
-2
SQL> create user qwerty2 password 'æøåØ';
SQL> create user qwerty3 password 'æøåÆØÅ';
SQL> create user qwerty4 password 'æøåÆØÅ123';
SQL>exit;
4. But now, returning to gsec, we cannot modify the -lname parameter to a
string containing a Norwegian character:
c:\Programs\Firebird\Firebird_2_5\bin>gsec -database babe:secdb -user sysdba
-password masterkey
GSEC> display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server Administrator
WOMBAT 0 0 admin Cute Little Marsupial
SETI 0 0 admin Svein Erling Tysvaer
QWERTY 0 0
1QWERTY 0 0
QWERTY2 0 0
QWERTY3 0 0
QWERTY4 0 0
GSEC> modify seti -lname Tysvår
invalid parameter, no switch defined
error in switch specifications
GSEC>quit
5. Back in isql, ALTER USER allows the Norwegian character in the LASTNAME
parameter:
c:\Programs\Firebird\Firebird_2_5\bin>isql -user sysdba -password masterkey
Use CONNECT or CREATE DATABASE to specify a database
SQL> set names ISO8859_1;
SQL> CONNECT EMPDB;
Database: EMPDB, User: sysdba
SQL> alter user seti lastname 'Tysvår';
SQL> quit;
c:\Programs\Firebird\Firebird_2_5\bin>gsec -database babe:secdb -user sysdba -pa
ssword masterkey
GSEC> display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server Administrator
WOMBAT 0 0 admin Cute Little Marsupial
SETI 0 0 admin Svein Erling Tysv-år
QWERTY 0 0
1QWERTY 0 0
QWERTY2 0 0
QWERTY3 0 0
QWERTY4 0 0
GSEC>
6. At this point I copy the gsec output to my ansi text file and get a warning
that it contains Unicode characters.
7. More anomalies occur when isc_add_user is the means of adding a user (we
used IB_SQL for this, client charset as IS08859_1).
a. Tried to add a user with a "traditionally legal" name and a password
consisting of a mix of upper and lower case Norwegian characters;
IB_SQL (isc_add_user):
Using password æøåÆØÅ
ISC ERROR CODE:335544748
SQL ERROR CODE:-85
SQL ERROR MESSAGE:
An error occurred while trying to update the security database
ISC ERROR MESSAGE:
The password specified is too long. Maximum length is 8 bytes.
b. Using password æøåÆ : operation completed successfully
c. Using username 6qwerty: operation completed successfully
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
