Re: [Firebird-devel] How to drop LegacyAuth SYSDBA?

Thu, 05 Nov 2020 07:24:11 -0800 

On 05-11-2020 15:29, Alex Peshkoff via Firebird-devel wrote:

On 11/5/20 5:03 PM, Mark Rotteveel wrote:
I just tried to drop the LegacyAuth SYSDBA account from the security database, but this only results in: 

SQL> drop user sysdba using plugin Legacy_UserManager;
Statement failed, SQLSTATE = HY000
delete record error


As the second best option I tried disabling it, but disabling accounts 
is not possible with the Legacy_UserManager (or ignored by 
LegacyAuth), only with Srp disabling accounts works.



I have no problems dropping SYSDBA with Srp, why is this not possible 
with Legacy_UserManager? Am I missing something?



May be the fact that thi is _legacy_ plugin which was never able to drop 
SYSDBA.





I also tried gsec, but it looks like gsec in 3.0.7 will always pick 
Srp, ignoring the UserManager setting in firebird.conf.




You are wrong here, just rechecked:



You're right, after a reboot it now follows the setting in 
firebird.conf. I'm not sure what triggered this, but I did run (and 
stopped) a Firebird 4 instance before doing this on 3.0.7. If I have the 
time, I might try to reproduce this.



But this does not help you drop legacy SYSDBA.



As a result, requiring a strong password for SYSDBA (by only using Srp 
for admin accounts) is impossible if you also need to be able to 
support LegacyAuth for other accounts.





The problem is rather artificial - if one cares about security legacy 
plugin to be disabled.



I'm unsure how artificial it is. I can imagine scenarios where one has 
applications that, for whatever reason, need to use LegacyAuth (eg 
because an application has to use a driver that only supports legacy 
auth or protocol 12 or lower), then you need to have LegacyAuth enabled, 
and not being able to drop the LegacyAuth SYSDBA then lowers security.



But one can for example:
1. attach to security db embedded and delete SYSDBA record manually
2. create (global) mapping to map unwanted sysdba to something non-admin



Thanks, I had considered the first option, but was looking for the wrong 
table. The second option is an interesting idea as well.


Mark
--
Mark Rotteveel


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel






















					Reply via email to