REVOKE fails with permission error on security database
27 views
Skip to first unread message
Hamish Moffatt
Aug 18, 2025, 12:44:24 AMAug 18
to firebird...@googlegroups.com
We have a Mac and Windows application which uses embedded Firebird 5.0.2.
The application's database is stored in a read-write directory (on
Windows, in \ProgramData or \Users\...\AppData), and the security
database is in the program files directory, and not writable.
Our application tries to ensure the database has restricted rights, by
executing:
REVOKE ALL ON ALL FROM USER PUBLIC ;
This is failing with "no permission for read-write access to database
<....>/security5.fdb"
We seem to be able to GRANT and REVOKE specific permissions ok, just not
ALL. "SHOW GRANTS" also fails with the permission error on
security5.fdb, after displaying all the grants.
I would welcome any suggestions for this.
Hamish
The application's database is stored in a read-write directory (on
Windows, in \ProgramData or \Users\...\AppData), and the security
database is in the program files directory, and not writable.
Our application tries to ensure the database has restricted rights, by
executing:
REVOKE ALL ON ALL FROM USER PUBLIC ;
This is failing with "no permission for read-write access to database
<....>/security5.fdb"
We seem to be able to GRANT and REVOKE specific permissions ok, just not
ALL. "SHOW GRANTS" also fails with the permission error on
security5.fdb, after displaying all the grants.
I would welcome any suggestions for this.
Hamish
liviuslivius
Aug 18, 2025, 1:52:53 AMAug 18
to firebird...@googlegroups.com
Hi
Are you sure that you are talking about embedded access? If yes, then no security at all. You can connect as sysdba without password at all in embeded mode, or simply copy database file and doing anything with it.
Regards,
Karol Bieniaszewski
-------- Oryginalna wiadomość --------
Od: 'Hamish Moffatt' via firebird-support <firebird...@googlegroups.com>
Data: 18.08.2025 06:44 (GMT+01:00)
Temat: [firebird-support] REVOKE fails with permission error on security database
--
Support the ongoing development of Firebird! Consider donating to the Firebird Foundation and help ensure its future. Every contribution makes a difference. Learn more and donate here:
https://www.firebirdsql.org/donate
---
You received this message because you are subscribed to the Google Groups "firebird-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebird-suppo...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/firebird-support/db97da4a-ef72-4b2d-9dcc-eebb5c468d21%40risingsoftware.com.
Support the ongoing development of Firebird! Consider donating to the Firebird Foundation and help ensure its future. Every contribution makes a difference. Learn more and donate here:
https://www.firebirdsql.org/donate
---
You received this message because you are subscribed to the Google Groups "firebird-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebird-suppo...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/firebird-support/db97da4a-ef72-4b2d-9dcc-eebb5c468d21%40risingsoftware.com.
Hamish Moffatt
Aug 18, 2025, 7:14:42 PMAug 18
to firebird...@googlegroups.com
On 18/8/25 15:52, 'liviuslivius' via firebird-support wrote:
> Hi
>
> Are you sure that you are talking about embedded access? If yes, then
> no security at all. You can connect as sysdba without password at all
> in embeded mode, or simply copy database file and doing anything with it.
>
Hi,
> Hi
>
> Are you sure that you are talking about embedded access? If yes, then
> no security at all. You can connect as sysdba without password at all
> in embeded mode, or simply copy database file and doing anything with it.
>
Yes, absolutely embedded access. The server is stopped, just in case.
Access works, but "SHOW GRANTS" fails, as does "REVOKE ALL ON ALL".
I can reproduce this in a Linux container too, "chmod 0 security5.fdb"
and then SHOW GRANTS fails:
root@4b3a8e7c6cfb:/tmp/Firebird-5.0.3.1683-0-linux-x64/opt/firebird/bin#
./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'foo.fdb';
SQL> show grants ;
There is no privilege granted in this database
root@4b3a8e7c6cfb:/tmp/Firebird-5.0.3.1683-0-linux-x64/opt/firebird/bin#
chmod 0 ../security5.fdb
root@4b3a8e7c6cfb:/tmp/Firebird-5.0.3.1683-0-linux-x64/opt/firebird/bin#
./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect 'foo.fdb';
Database: 'foo.fdb', User: SYSDBA
SQL> show grants ;
Statement failed, SQLSTATE = 28000
no permission for read-write access to database
/tmp/Firebird-5.0.3.1683-0-linux-x64/opt/firebird/security5.fdb
-IProvider::attachDatabase failed when working with CREATE DATABASE grants
There is no privilege granted in this database
SQL> revoke all on all from public ;
Statement failed, SQLSTATE = 28000
unsuccessful metadata update
-REVOKE failed
-no permission for read-write access to database
/tmp/Firebird-5.0.3.1683-0-linux-x64/opt/firebird/security5.fdb
The security database location can be changed in database.conf, so maybe
I can make a temporary configuration file and security database in a
writable directory? But I'm not sure how to refer to a configuration
file outside of the Firebird program file directory.
Hamish
Reply all
Reply to author
Forward
0 new messages