On 8/8/22 15:41, Pavel Zotov wrote:
Currently one need to use only local connection in order to create
self-security database, i.e.:
1) we create in the databases.conf alias of DB that we want to create,
e.g.:
tmp_self= $(dir_sampleDb)/tmp_self_example.fdb
{
SecurityDatabase = tmp
}
2) we run "create database" statement and specify there alias
'tmp_self', *without* protocol prefix ('localhost:', 'inet://',
'xnet://'):
========
D:\FB\fb308>isql -q
SQL> create database 'tmp_self'; set list on; select
mon$database_name, mon$owner, mon$sec_database from mon$database; drop
database;
. . .
MON$DATABASE_NAME D:\FB\FB308\EXAMPLES\EMPBUILD\TMP_SELF_EXAMPLE.FDB
MON$OWNER ZOTOV
MON$SEC_DATABASE Self
========
So far so good.
But if we try to create DB using command like this:
=========
create database 'localhost:tmp_self' user sysdba password 'masterkey';
drop database;
=========
-- then error raises:
========
SQL> Statement failed, SQLSTATE = 08006
Error occurred during login, please check server firebird.log for
details
========
Content of firebird.log in that case will be following:
========
Authentication error
I/O error during "CreateFile (open)" operation for file "tmp_self"
Error while trying to open file
[ can not find specified file ] // localized message here
========
Why this restriction exists ?
Because login / password to be validated in the database that does not
exist yet. Therefore password check fails and you can't attach to
server. Without connection to server it's hard to create something on it ;)
Database file did not exist also when we used local protocol.
From DS:
Have you forgot that it means embedded mode and user name/password
are not checked at all?
And yes - when there is no need to check login info there is no need to
attach to non-existent database.
So, what's the problem just to ignore this (i.e. missed .fdb file) it
and try to create this DB ?
The problem is need to follow security rule - each conection to server
to be validated by plugins.
PS. 2 more cents.
One can create database with self-security alias remotely if some
plugin, configured on server, does not need to attach to it. But for
tody we do not have one - even win_sspi needs DB (and security DB -
which is same database in your case) connection to load mappings.
PPS. If one has access to database.conf to create new alias he
definitely has embedded access to server, i.e. problem appears to be
rather artificial.
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
