Permission/file access issues. Firebird 4.0.0, Fedora 36

[linux guy]

I'm trying to set the password for SYSDBA as per /usr/share/doc/firebird/README.security_database.txt 

$ dnf list firebird

Installed Packages

firebird.x86_64                            4.0.0.2496-5.fc35

Check that firebird isn't running.

$ ps -aux | grep firebird
me          3037  0.0  0.0 221664  2232 pts/0    S+   12:28   0:00 grep --color=auto firebird

Add me to the firebird group

# usermod -a -G firebird me

$ isql-fb -user sysdba '/home/me/Database/employee.fdb'
Database: /home/me/Database/employee.fdb, User: SYSDBA
SQL> SHOW TABLES  ;
COUNTRY
CUSTOMER
DEPARTMENT
EMPLOYEE
EMPLOYEE_PROJECT
JOB
PROJECT
PROJ_DEPT_BUDGET
SALARY_HISTORY
SALES

SQL> create user SYSDBA password 'mypassword';
Statement failed, SQLSTATE = 08001
I/O error during "open" operation for file "/var/lib/firebird/secdb/security4.fdb"
-Error while trying to open file
-Permission denied

# ls -al /var/lib/firebird/secdb/
total 1920
drwx------. 1 firebird firebird      26 Oct 21 11:06 .
drwxr-xr-x. 1 root     root          42 Oct 10  2021 ..
-rw-------. 1 firebird firebird 1966080 Oct 10  2021 security4.fdb

# id me
uid=1000(me) gid=1000(me) groups=1000(me),10(wheel),974(firebird)

What am I doing wrong ?  Should security4.fdb have different permissions ?  Like rw-rw ?

Thanks

[linux guy]

I do not receive the error if I open the database up as root instead of me.

[Dimitry Sibiryakov]

linux guy wrote 21.10.2022 20:36:
> -rw-------. 1 firebird firebird 1966080 Oct 10  2021 security4.fdb
>
> # id me
> uid=1000(me) gid=1000(me) groups=1000(me),10(wheel),974(firebird)
>
> What am I doing wrong ?  Should security4.fdb have different permissions ?  Like
> rw-rw ?

Yes. Permissions for the file are set to 600 which means only owner access so
including yourself into group firebird is not enough. Permissions should be 660
to allow access by group.

--
WBR, SD.

[linux guy]

Thanks for the reply.
Exactly which permission(s) should be set to 600 ?

> --
> You received this message because you are subscribed to the Google Groups "firebird-support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to firebird-suppo...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/ed87afcb-786b-532c-a275-85f4a3f2ab1e%40ibphoenix.com.

[linux guy]

Sorry, misread your reply.

[linux guy]

Who and what group should a database file be, ie employee.fdb and what
permission should it have ? I'm guessing firebird, firebird and 660.

[Mark Rotteveel]

On 21-10-2022 20:36, linux guy wrote:
> I'm trying to set the password for SYSDBA as per
> /usr/share/doc/firebird/README.security_database.txt
>
>
> $ dnf list firebird
> Installed Packages
> firebird.x86_64  4.0.0.2496-5.fc35
>
> Check that firebird isn't running.
> $ ps -aux | grep firebird
> me          3037  0.0  0.0 221664  2232 pts/0    S+   12:28   0:00 grep
> --color=auto firebird
>
> Add me to the firebird group
> # usermod -a -G firebird me

Did you log out and back in so you actually have the permission of this
group? Or execute `newgrp firebird` so the permission is loaded into
your current user session?

> # ls -al /var/lib/firebird/secdb/
> total 1920
> drwx------. 1 firebird firebird      26 Oct 21 11:06 .
> drwxr-xr-x. 1 root     root          42 Oct 10  2021 ..
> -rw-------. 1 firebird firebird 1966080 Oct 10  2021 security4.fdb
>
> # id me
> uid=1000(me) gid=1000(me) groups=1000(me),10(wheel),974(firebird)
>
> What am I doing wrong ?  Should security4.fdb have different permissions
> ?  Like rw-rw ?

Yes, that looks off to me. If users with the firebird group want to
modify the security database through an embedded connection, they need
read/write permission as well.

Mark
--
Mark Rotteveel

[Mark Rotteveel]

On 22-10-2022 01:27, linux guy wrote:
> Who and what group should a database file be, ie employee.fdb and what
> permission should it have ? I'm guessing firebird, firebird and 660.

That depends on who and how you want to allow them to access the
database. If you give everyone permission read/write, everyone can open
the database using an embedded connection (direct file access), though
this may run into issues with the permissions on the lock directory
(which may be granted permission only to the firebird user and the
firebird group.

If you want a database to be *only* accessible through the Firebird
server process, and not through embedded connections, you should only
give permissions to the firebird user, and not the firebird group.

If you want the firebird server and/or users in the firebird group
permission to *drop* a database, you will also need to give delete
permissions, etc.

Giving only user firebird and group firebird r/w (and maybe delete)
permission is probably the best choice.

Mark
--
Mark Rotteveel

[linux guy]

I've still got permission issues.

SQL> connect 'localhost:/home/me/Database/employee.fdb'
CON> user SYSDBA password 'xxxxx';

Statement failed, SQLSTATE = 08001

I/O error during "open" operation for file "/home/me/Database/employee.fdb"

-Error while trying to open file
-Permission denied

Note to developers: it would be really nice if these error messages
were more descriptive.

$ ls -al
total 2768
drwxr-xr-x. 1 me me 24 Oct 21 11:21 .
drwx------. 1 me me 454 Oct 21 17:23 ..
-rw-rw----. 1 firebird firebird 2834432 Oct 21 15:33 employee.fdb

$ id me
uid=1000(me) gid=1000(me) groups=1000(me),10(wheel),974(firebird)

So which file doesn't it have permission to ?

[Ertan Küçükoglu]

Hello,

AFAIK, your example connection is EMBEDDED.

If the database has connection thru TCP/IP, it is normal for you to receive I/O error.

Not 100% sure your case is this, but worth checking it out.

Regards,

Ertan

linux guy <linux...@gmail.com>, 25 Eki 2022 Sal, 18:41 tarihinde şunu yazdı:

--
You received this message because you are subscribed to the Google Groups "firebird-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebird-suppo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/CAJPRYeJWaYagECYGHuinxn0vpXrXDHvz_8StZRDQ3Tyut3N0Tw%40mail.gmail.com.

[Dimitry Sibiryakov]

linux guy wrote 25.10.2022 17:41:
> Note to developers: it would be really nice if these error messages
> were more descriptive.

No it is as descriptive as possible. No further information is available at
the point of "open" call.

> So which file doesn't it have permission to ?

The "/home/me/Database/". Firebird server (which you are connected to) is
obviously not a member of group "me" or run under "me" account.
On Linux an application must have access to every level of path in order to
have access to a file.

--
WBR, SD.

[linux guy]

Comments below.

On Tue, Oct 25, 2022 at 9:46 AM Ertan Küçükoglu
<ertan.k...@gmail.com> wrote:
>
> Hello,
>
> AFAIK, your example connection is EMBEDDED.
> If the database has connection thru TCP/IP, it is normal for you to receive I/O error.
> Not 100% sure your case is this, but worth checking it out.

Thanks for the tip.

I'm following the directions given here:
https://firebirdsql.org/file/documentation/html/en/firebirddocs/qsg3/firebird-3-quickstartguide.html

I've attempted connections with 2 different firebird engines. 1)
4.0.0 from the Fedora 36 Repo. And the one I am currently using,
4.0.2 as downloaded from github. Neither installation asked me to
select Classic, SuperClassic, SuperServer or, as you mention,
Embedded.

The connection I'm attempting this morning is on my server. I'm using
localhost so as to avoid firewalls, host name lookup, etc. I'm
trying to attain the simplest test I can.

[linux guy]

On Tue, Oct 25, 2022 at 9:54 AM 'Dimitry Sibiryakov' via
firebird-support <firebird...@googlegroups.com> wrote:
>
> linux guy wrote 25.10.2022 17:41:
> > Note to developers: it would be really nice if these error messages
> > were more descriptive.
>
> No it is as descriptive as possible. No further information is available at
> the point of "open" call.

Would it be possible to list which file the permission violation
occurs on ? I'm assuming it is employee.fdb, but is that correct?

> The "/home/me/Database/". Firebird server (which you are connected to) is
> obviously not a member of group "me" or run under "me" account.

I'm running isql-fb as me.

$ ls -l
total 0
drwxr-xr-x. 1 me me 24 Oct 21 11:21 Database

$ id firebird
uid=978(firebird) gid=974(firebird) groups=974(firebird)

$ id me
uid=1000(me) gid=1000(me) groups=1000(me),10(wheel),974(firebird)

So the "firebird" user should be added to the group "me" ?

I'm following the directions in the link below and it doesn't mention
anything about setting up permissions.

https://firebirdsql.org/file/documentation/html/en/firebirddocs/qsg3/firebird-3-quickstartguide.html

> On Linux an application must have access to every level of path in order to
> have access to a file.

It just occurred to me that I am running isql-fb as me, but the engine
itself is running as firebird. The firebird user will need to be a
member of group me in order to access /home/me/Database.

[Dimitry Sibiryakov]

linux guy wrote 25.10.2022 18:33:
> Would it be possible to list which file the permission violation
> occurs on ?

It is already mentioned in the message.

> I'm running isql-fb as me.

isql-fb is just a client application. It does not access database directly.

> I'm following the directions in the link below and it doesn't mention
> anything about setting up permissions.

Yes. Because it is a guide for Firebird only. Description of every aspect of
every operating systems that Firebird can run on is out of its scope. As well as
question "how to turn computer on" if you understand what I have on mind.

> It just occurred to me that I am running isql-fb as me, but the engine
> itself is running as firebird. The firebird user will need to be a
> member of group me in order to access /home/me/Database.

That's right. This is the way client-server DBMSs work.
Usage of embedded database engine(s) is very different and you must not mix
them up.

--
WBR, SD.

[linux guy]

It appears that the firebird user had permission to open the database
file. However, I can't get it to open with firebird.

[me@5900X Database]$ sudo -u firebird ls -al

total 2768
drwxr-xr-x. 1 me me 24 Oct 21 11:21 .

drwx------. 1 me me 470 Oct 25 10:34 ..

-rw-rw----. 1 firebird firebird 2834432 Oct 21 15:33 employee.fdb

[me@5900X Database]$ sudo -u firebird cat employee.fdb
<spits out database.fdb, as best it can>

$ id me
uid=1000(me) gid=1000(me) groups=1000(me),10(wheel),974(firebird)

$ id firebird

uid=978(firebird) gid=974(firebird) groups=974(firebird),1000(me)

[me@5900X Database]$ isql-fb
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect localhost:/home/me/Database/employee.fdb
CON> user SYSDBA password xxxx ;

Statement failed, SQLSTATE = 08001
I/O error during "open" operation for file "/home/me/Database/employee.fdb"
-Error while trying to open file
-Permission denied

Is this an operating system permission message or a user permission
issue on the database itself ?

[linux guy]

However, I can open it locally like this:

SQL> connect '/home/me/Database/employee.fdb'

CON> user SYSDBA password xxxx;

Database: '/home/me/Database/employee.fdb', User: SYSDBA
SQL> show tables ;

COUNTRY
CUSTOMER
DEPARTMENT
EMPLOYEE
EMPLOYEE_PROJECT
JOB
PROJECT
PROJ_DEPT_BUDGET
SALARY_HISTORY
SALES

Firebird is listening on port 3050.
# netstat -tulpn | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 1279/sshd: /usr/sbi
tcp 0 0 0.0.0.0:5355 0.0.0.0:*
LISTEN 977/systemd-resolve
tcp 0 0 127.0.0.53:53 0.0.0.0:*
LISTEN 977/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:*
LISTEN 977/systemd-resolve
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN 1272/cupsd
tcp6 0 0 :::22 :::*
LISTEN 1279/sshd: /usr/sbi
tcp6 0 0 :::3050 :::*
LISTEN 4276/firebird
tcp6 0 0 ::1:631 :::*
LISTEN 1272/cupsd
tcp6 0 0 :::5355 :::*
LISTEN 977/systemd-resolve

What am I missing ?

[linux guy]

Here's the problem...

[me@5900X ~]$ sudo -u firebird -s
[sudo] password for me:
bash-5.2$ whoami
firebird
bash-5.2$ cd /home/me
bash: cd: /home/me: Permission denied
bash-5.2$ cd /home/me/Database
bash: cd: /home/me/Database: Permission denied
bash-5.2$ ls /home/me/Database/employee.fdb
ls: cannot access '/home/me/Database/employee.fdb': Permission denied

LOL. No wonder it doesn't work.

[Dimitry Sibiryakov]

linux guy wrote 25.10.2022 22:10:
> It appears that the firebird user had permission to open the database
> file. However, I can't get it to open with firebird.
>
> [me@5900X Database]$ sudo -u firebird ls -al
> total 2768
> drwxr-xr-x. 1 me me 24 Oct 21 11:21 .
> drwx------. 1 me me 470 Oct 25 10:34 ..

----^^^^
Do you see missing group permissions here?

> $ id firebird
> uid=978(firebird) gid=974(firebird) groups=974(firebird),1000(me)

No wonder that Firebird even within "me" group has no access to directory
where "me" group has no access.

--
WBR, SD.

[linux guy]

> Do you see missing group permissions here?

Yes I did. And the group permission needs to be set to at least rw,
not just read, like it is in a "normal" home dir group.

I fixed the permission for the path and for the database file itself
and now firebird works via localhost and across the network.

Thank you for your replies and patience.

[linux guy]

[me@workstation1 ~]$ isql-fb

Use CONNECT or CREATE DATABASE to specify a database

SQL> connect 5900x:/home/me/Database/employee.fdb
CON> user SYSDBA password xxxxx;
Database: 5900x:/home/me/Database/employee.fdb, User: SYSDBA
SQL> show tables;