Firebird isql access with random SYSDBA password

268 views
Skip to first unread message

Jens Reckziegel

unread,
Jun 30, 2021, 9:52:15 AM6/30/21
to firebird-support

Hallo,

yesterday I had the case, that I changed the SYSDBA password with the tool isql. During this change I recognised that it is equal which password I use to connect to a database. Wouldn't this be a big security issue? Everybody can connect to a database with a random password in combination with alias SYSDBA.
In the example below the password of the SYSDBA was masterkey.

Windows 10 Pro 1909
Firebird Version: 3.0.7.33374_1_x64.exe

Please see description of the cmd commands:

C:\...\DB>"c:\Program Files\Firebird\Firebird_3_0\isql.exe" -user sysdba -password masterkey Zentrale1.FDB
Database: Zentrale1.FDB, User: SYSDBA
SQL> select count(*) from device;
COUNT =====================
164756

C:\...\DB>"c:\Program Files\Firebird\Firebird_3_0\isql.exe" -user sysdba -password Test Zentrale1.FDB
Database: Zentrale1.FDB, User: SYSDBA
SQL> select count(*) from device;
COUNT =====================
164756

C:\...\DB>"c:\Program Files\Firebird\Firebird_3_0\isql.exe" -user sysdba -password blubber Zentrale1.FDB
Database: Zentrale1.FDB, User: SYSDBA
SQL> select count(*) from device;
COUNT =====================
164756

C:\...\DB>"c:\Program Files\Firebird\Firebird_3_0\isql.exe" -user sysdba -password keinPasswortgesetzt Zentrale1.FDB
Database: Zentrale1.FDB, User: SYSDBA
SQL> select count(*) from device;
COUNT =====================
164756

C:\...\DB>"c:\Program Files\Firebird\Firebird_3_0\isql.exe" -user user -password keinPasswortgesetzt Zentrale1.FDB
Database: Zentrale1.FDB, User: USER
SQL> select count(*) from device;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE DEVICE

C:\...\DB>"c:\Program Files\Firebird\Firebird_3_0\isql.exe" -user SYSDBA Zentrale1.FDB
Database: Zentrale1.FDB, User: SYSDBA
SQL> select count(*) from device;
COUNT =====================
164756


Thanks

Mark Rotteveel

unread,
Jun 30, 2021, 9:57:30 AM6/30/21
to firebird...@googlegroups.com
On 2021-06-30 15:44, Jens Reckziegel wrote:
> yesterday I had the case, that I changed the SYSDBA password with the
> tool isql. During this change I recognised that it is equal which
> password I use to connect to a database. Wouldn't this be a big
> security issue? Everybody can connect to a database with a random
> password in combination with alias SYSDBA.
>
> In the example below the password of the SYSDBA was masterkey.

This is expected. You are using a connection string that only contains a
filepath, and therefor the embedded engine is used to connect. The
embedded engine does not check user name and password. If the user has
filesystem level read and write access to the file, that is taken as
sufficient permission to open the database. Passwords are only checked
when you connect through the Firebird server (e.g. using
localhost:<path-to-db> or using the XNET, WNET or INET connection
strings).

Mark

Gabor Boros

unread,
Jun 30, 2021, 9:58:02 AM6/30/21
to firebird...@googlegroups.com
2021.06.30. 15:44 keltezéssel, Jens Reckziegel írta:
>
> Hallo,
>
> yesterday I had the case, that I changed the SYSDBA password with the
> tool isql. During this change I recognised that it is equal which
> password I use to connect to a database. Wouldn't this be a big security
> issue? Everybody can connect to a database with a random password in
> combination with alias SYSDBA.


With embedded mode the password not count.

Gabor

Jens Reckziegel

unread,
Jun 30, 2021, 10:10:36 AM6/30/21
to firebird-support
Thanks for the quick answer!!
Reply all
Reply to author
Forward
0 new messages