Firebird DBs only accessible as root user
288 views
Skip to first unread message
Louis Erickson
Sep 5, 2023, 11:50:22 PM9/5/23
to firebird-support
I have two machines this is happening on now, and can't figure out why or what I've done wrong. They're both OpenSuSE Linux, running a relatively current release of Tumbleweed (meaning current kernel, etc.)
I have installed the Firebird-4.0.2.2816-0.amd64 package off the web site - it was current when I started this project, although I see there's a minor rev out now. This is a very old web site that used to be Interbase and has migrated along all this way to Firebird 4, mostly without major problems.
Recently, two machines have started returning this when running queries against a DB as a non-root user:
$ /opt/firebird/bin/isql -u db_owner -p db_pw /home/firebird/data/db.gdb
Statement failed, SQLSTATE = 08001
I/O error during "open" operation for file "/home/firebird/data/db.gdb"
-Error while trying to open file
-Permission denied
Statement failed, SQLSTATE = 08001
I/O error during "open" operation for file "/home/firebird/data/db.gdb"
-Error while trying to open file
-Permission denied
-/tmp/firebird/
Use CONNECT or CREATE DATABASE to specify a database
SQL> ^D
SQL> ^D
If I run the same command as the root user, it works and data is returned.
It doesn't seem to matter what DB user I try as; SYSDBA performs the same errors as the DB owner.
It's acting like it is trying direct file i/o instead of going through the running server, but that's only a guess on my part.
There is a running server on port 3050 of the same machine.
All the database files are owned by firebird:firebird, and should be readable by the running server. Only root seems able to see them, however.
Any idea what I've done wrong here, or where to look to get more debugging information to see what can't read what?
Tomasz Dubiel
Sep 6, 2023, 2:35:44 AM9/6/23
to firebird-support
You have /tmp/firebird mentioned in the error message. That's probably the directory not accessible by firebird.
Best regards,
Tomasz.
Tomasz Tyrakowski
Sep 6, 2023, 2:35:48 AM9/6/23
to firebird...@googlegroups.com
On 06.09.2023 at 05:37, Louis Erickson wrote:
> [...]
When you specify just the database file path, you're using embedded
mode, i.e. you access the DB file directly, not via the Firebird server
process. The user you're logged in as doesn't have permissions to
/home/firebird, while root does (obviously) - that's why you can access
the DB as root.
Change /home/firebird/data/db.gdb to
localhost:/home/firebird/data/db.gdb and it should work fine (it will
actually connect to the FB server process on the local machine, and the
latter, from what you wrote, has permissions to /home/firebird).
regards
Tomasz
> [...]
> Recently, two machines have started returning this when running queries
> against a DB as a non-root user:
>
> $ /opt/firebird/bin/isql -u db_owner -p db_pw /home/firebird/data/db.gdb
> Statement failed, SQLSTATE = 08001
> I/O error during "open" operation for file "/home/firebird/data/db.gdb"
> -Error while trying to open file
> -Permission denied
> -/tmp/firebird/
> Use CONNECT or CREATE DATABASE to specify a database
> SQL> ^D
>
> If I run the same command as the root user, it works and data is returned.
>
> It doesn't seem to matter what DB user I try as; SYSDBA performs the same
> errors as the DB owner.
> [...]
> against a DB as a non-root user:
>
> $ /opt/firebird/bin/isql -u db_owner -p db_pw /home/firebird/data/db.gdb
> Statement failed, SQLSTATE = 08001
> I/O error during "open" operation for file "/home/firebird/data/db.gdb"
> -Error while trying to open file
> -Permission denied
> -/tmp/firebird/
> Use CONNECT or CREATE DATABASE to specify a database
> SQL> ^D
>
> If I run the same command as the root user, it works and data is returned.
>
> It doesn't seem to matter what DB user I try as; SYSDBA performs the same
> errors as the DB owner.
When you specify just the database file path, you're using embedded
mode, i.e. you access the DB file directly, not via the Firebird server
process. The user you're logged in as doesn't have permissions to
/home/firebird, while root does (obviously) - that's why you can access
the DB as root.
Change /home/firebird/data/db.gdb to
localhost:/home/firebird/data/db.gdb and it should work fine (it will
actually connect to the FB server process on the local machine, and the
latter, from what you wrote, has permissions to /home/firebird).
regards
Tomasz
Louis Erickson
Sep 6, 2023, 11:28:26 PM9/6/23
to firebird-support
Interesting!
Thanks, Tomasz, I was wondering if that was what was happening. I've worked around the problem for now by adding the webserver to the firebird group, but would obviously rather not do that and will try localhost:/home/firebird/data/db.gdb instead.
Is this a change, or has it been this way a while? In the Firebird 2 days, as far as I knew I was using the TCP socket to access the DB - permissions have been restricted for years - but have always just used the path to the DB file to access the files.
Have I been using embedded mode all this time and it just happened to work, or is this a change to the system? This is a legacy system that doesn't get much attention till it breaks. (For example, it still uses gsec for user management, which I understand is deprecated and I'll have to figure out a new one.)
Thanks for the quick and helpful reply!
Tomasz Tyrakowski
Sep 7, 2023, 2:12:36 AM9/7/23
to firebird...@googlegroups.com
On 07.09.2023 at 05:28, Louis Erickson wrote:
> [...]
exactly it worked in 1.x). However, it might also depend on the
client-side stack your software uses (especially DB access libraries,
like Python FB driver, PHP's PDO/ibase FB driver, Delphi DB components,
node-firebird, etc. - whichever you use). It's possible the library used
to force TCP/IP connections even for local DB paths (assuming localhost
when no host was provided in the connection params) and stopped doing so
after an upgrade (but it's not very likely). What I'm trying to say is
the change might have been caused by changes in client software, not
Firebird server.
It's hard to tell, not knowing exactly what has been working before and
stopped.
regards
Tomasz
> [...]
> Is this a change, or has it been this way a while? In the Firebird 2 days,
> as far as I knew I was using the TCP socket to access the DB - permissions
> have been restricted for years - but have always just used the path to the
> DB file to access the files.
>
> Have I been using embedded mode all this time and it just happened to work,
> or is this a change to the system? This is a legacy system that doesn't
> get much attention till it breaks. (For example, it still uses gsec for
> user management, which I understand is deprecated and I'll have to figure
> out a new one.)
AFAIK it's worked that way at least since v2 (I don't remember how
> as far as I knew I was using the TCP socket to access the DB - permissions
> have been restricted for years - but have always just used the path to the
> DB file to access the files.
>
> Have I been using embedded mode all this time and it just happened to work,
> or is this a change to the system? This is a legacy system that doesn't
> get much attention till it breaks. (For example, it still uses gsec for
> user management, which I understand is deprecated and I'll have to figure
> out a new one.)
exactly it worked in 1.x). However, it might also depend on the
client-side stack your software uses (especially DB access libraries,
like Python FB driver, PHP's PDO/ibase FB driver, Delphi DB components,
node-firebird, etc. - whichever you use). It's possible the library used
to force TCP/IP connections even for local DB paths (assuming localhost
when no host was provided in the connection params) and stopped doing so
after an upgrade (but it's not very likely). What I'm trying to say is
the change might have been caused by changes in client software, not
Firebird server.
It's hard to tell, not knowing exactly what has been working before and
stopped.
regards
Tomasz
Reply all
Reply to author
Forward
0 new messages