On 2020-06-01 17:29, Mark Rotteveel wrote:
On 01-06-2020 16:07, Alex Peshkoff via Firebird-devel wrote:
On 2020-06-01 16:54, Mark Rotteveel wrote:
On 01-06-2020 11:57, Alex Peshkoff via Firebird-devel wrote:
Legacy approach of pre-initializing with well known to the world
password is very bad idea. Not to tell much words about security -
have you ever seen unix distro with pre-initialized root password?
Our installers all try to do the best possible to initialize
SYSDBA. What about completely automatic initialization - yes, we
can do it and save new random SYSDBA password to firebird.log. But
I doubt that this is better solution compared with existing - how
can novide guess where to search for that password?
I'm not talking about creating a user, I'm talking about
initializing the security database so the necessary tables for SRP
already exist. That should not necessitate the creation of a user
(and if it currently technically does require that, then that is a
deficiency that should be addressed).
That's trivial - but what do we win with that?
We prevent the entire subject of this discussion: an unnecessary error
message about the installation not being complete where the normal
'Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.' error would suffice.
People often complain of poor diagnostics in firebird. Well, looks like
now it becomes popular to complain of too good diagnostics - just
because it became a bit old. We have a special code that detects
possible error case typical for the beginning of use of firebird and
sends the user to the specific place in documentation that explains how
to fix this. The only problem that text should be fixed a little (and
may be that pages from docs be copied to another place). Replacing error
message which in details explains what to do to fix a problem (how to
setup firebird login when there is no SYSDBA record in security datbase)
with amorphoustext (specially designed to avoid providing to malicious
users any information about real firebird server state) is hardly
enhancement.
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
