How to backup using Windows Task Scheduler without User/Password?

[Luciano Rodrigues Nunes Mendes]

Hi All,

I am creating a Windows Batch File for the backup of a Firebird 3.0 database that will be used in the Windows Task Scheduler and I would NOT like to write the User/Password in this Windows Batch File.

Is there any possibility of writing a Windows Batch File that uses Windows Task Scheduler user authentication via Win_Sspi protocol so that I don't have to write the User/Password in this Windows Batch File?

What kind of changes should I make to my backup script below so that I don't have to write a username/password on it and it starts using the Windows Task Scheduler domain user authentication via the Win_Sspi protocol?

set Firebird_Bin_Folder=%ProgramFiles%\Firebird\Firebird_3_0

set User=SYSDBA

set Password=sysdbapwd

set Database=MY_DB

"%Firebird_Bin_Folder%\gbak.exe" -user %User% -password %Password% -backup_database "%Database%" "%CD%\%Database%.FBK" -verify -y "%CD%\%Database%.LOG" -statistics tdrw

Thanks in Advance,

Luciano

[Tim Crawford]

I recall there is or was an authentication thing based on windows,
but might be easier to set environment variables ISC_USER and ISC_PASSWORD

See https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/isql/firebird-isql.html#isql-environment-variables

Tim

--
You received this message because you are subscribed to the Google Groups "firebird-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebird-suppo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/200eda54-b631-4eca-81f7-80f54a7e5032n%40googlegroups.com.

[Luciano Rodrigues Nunes Mendes]

Hi Tim,

Thank you very much for your reply!

My intention is precisely to avoid using a user/password for security reasons.

Defining ISC_USER and ISC_PASSWORD would jeopardize security even more because not only who has access to the database via Win_Sspi protocol could make the backup but any other Windows user.

I believe that the way forward would be to configure gbak to use Windows domain user authentication (Win_Sspi) to make these backups without the need to write the user/password in the Windows Batch File.

Does anyone have any other suggestions?

Best Regards,

Luciano

[Dimitry Sibiryakov]

13.01.2021 17:05, Luciano Rodrigues Nunes Mendes wrote:
> I believe that the way forward would be to configure gbak to use Windows domain user
> authentication (Win_Sspi) to make these backups without the need to write the
> user/password in the Windows Batch File.
>
> Does anyone have any other suggestions?

If you run gbak without parameters you'll see the full set of supported switches
including -TRU(STED) but I'm not sure which user it will be mapped to if run under the
scheduler. You can check it with isql (which has similar switch) and "select current_user"
query.

--
WBR, SD.

[Tim Crawford]

Not sure I understand.

When you define the ISC_USER and ISC_PASSWORD env vars
you do NOT use the -USER and -PASSWORD parameters on gbak,
gbak picks it up from the env vars

(and you don't want to use -USER and -PASSWORD, in windows they show up
in the command line params in task manager for any user that goes looking)

You can specify the env vars only for the user that you use to run the scheduled task

Another option, you can also use:
-FE[TCH_PASSWORD] <password file name> | stdin | /dev/tty


See this page:
https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/gbak/firebird-gbak.html

--
Tim Crawford | ckmHEALTHCARE | Senior Consultant | office: 647-479-9583 | cell: 289-619-3032

"Affordable, Comprehensive, Easy To Use" 

Notice of Confidentiality:
The information transmitted is intended only for the person or entity to which it is addressed, and may contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please contact the sender immediately by return electronic transmission,
and then immediately delete this transmission including all attachments without copying distributing or disclosing same.

Avis de confidentialité:
L’information transmise est strictement réservée à la personne ou à l’organisme auquel elle est adressée et peut être de nature confidentielle.
Toute lecture retransmission divulgation ou autre utilisation de cette information ou toute action prise sur la foi de cette information par des
personnes ou organismes autres que son destinataire est interdite.  Si vous avez reçu cette information par erreur veuillez contacter son
expéditeur immédiatement par retour du courrier électronique puis supprimer cette information y compris toutes pièces jointes sans en
avoir copié divulgué ou diffusé le contenu.

[Luciano Rodrigues Nunes Mendes]

Hi Tim and Dimitry,

I got to backup using Windows Task Scheduler without User/Password by replacing the following command:

"%Firebird_Bin_Folder%\gbak.exe" -user %User% -password %Password% -backup_database "%Database%" "%CD%\%Database%.FBK" -verify -y "%CD%\%Database%.LOG" -statistics tdrw

to

%Firebird_Bin_Folder%\gbak.exe" -role RDB$ADMIN -backup_database "%Database%" "%CD%\%Database%.FBK" -verify -y "%CD%\%Database%.LOG" -statistics tdrw

Thank you very much for your valuable tips that allowed me to better understand how gbak works.

Best Regards,

Luciano

[Andrew Zenz]

Luciano, I have done something similar for client installations.

 

I havebatch files for certain tasks and included the required username and password, but I complie the .bat file to a .exe using a product called Quick Batch File Compiler.   https://www.abyssmedia.com/quickbfc/

 

I thought it was a freebie, but seems I bought it.  I’m sure there are other similar and free products around but make sure you can’t see the username/password in a viewer or similar.

 

It does the job nicely for me.

 

Cheers,

 

Andrew

--

[Luciano Rodrigues Nunes Mendes]

Hi Andrew,

This seems like an excellent suggestion not only for protecting User/Password authentication from automatic backups but also for any other type of scheduled task.

Thank you for the tip!

Best Regards,

Luciano

To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/A818CBF9359DB34DA06D07A1B07DD649042351D4%40AIMSERVER04.aimsoftware.local.

[Tim Crawford]

I tried the complied bat idea too. Ran into problems with various antivirus software flagging compiled bats as viruses,
and sometimes odd behaviour as to working directory when running from task manager as system...
also these things often just extract the bat and put it into a system or temp directory and run from there,
leaving the password possibly on the file system as plain text. And even then, if you still put the user/pswd
as command line parameters,  in windows they are visible while running in task manager
 (Select column Command Line)

To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/A818CBF9359DB34DA06D07A1B07DD649042351D4%40AIMSERVER04.aimsoftware.local.