5.2. Security

Firebird 3 offers a number of security options, designed to make unauthorised access as difficult as possible. Be warned however that some configurable security features default to the old, “insecure” behaviour inherited from InterBase and earlier Firebird versions, in order not to break existing applications.

It pays to familiarise yourself with Firebird’s security-related configuration parameters. You can significantly enhance your system’s security if you raise the protection level wherever possible. This is not only a matter of setting parameters, by the way: other measures involve tuning filesystem access permissions, an intelligent user accounts policy, etc.

Below are some guidelines for protecting your Firebird server and databases.

Run Firebird as non-system user

On Unix-like systems, Firebird already runs as user firebird by default, not as root. On Windows server platforms, you can also run the Firebird service under a designated user account (e.g. Firebird). The default practice — running the service as the LocalSystem user — poses a security risk if your system is connected to the Internet. Consult README.instsvc.txt in the doc subdir to learn more about this.

Change SYSDBA‘s password

As discussed before, if your Firebird server is reachable from the network and the system password is masterkey, change it.

Don’t create user databases as SYSDBA

SYSDBA is a very powerful account, with full (destructive) access rights to all your Firebird databases. Its password should be known to a few trusted database administrators only. Therefore, you shouldn’t use this super-account to create and populate regular databases. Instead, generate normal user accounts, and provide their account names and passwords to your users as needed. You can do this with the SQL user management commands as shown above, or with any decent third-party Firebird administration tool.

Protect databases on the filesystem level

Anybody who has filesystem-level read access to a database file can copy it, install it on a system under his or her own control, and extract all data from it — including possibly sensitive information. Anybody who has filesystem-level write access to a database file can corrupt it or totally destroy it.

Also, anybody with filesystem-level access to a database can make an embedded connection to it posing as any Firebird user (including SYSDBA) without having his credentials checked. This can be especially disastrous if it concerns the security database!

As a rule, only the Firebird server process should have access to the database files. Users don’t need, and should not have, access to the files — not even read-only. They query databases via the server, and the server makes sure that users only get the allowed type of access (if at all) to any objects within the database.

As a relaxation of this rule, most Firebird configurations allow users to create and use databases in their own filesystem space and make embedded connections to them. Since these are their files and their data, one may argue that unrestricted and possibly destructive access should be their own concern, not yours.

If you don’t want or need this relaxation, follow the instructions in the next item.

Disable embedded connections

If you don’t want any type of direct access, you may disable embedded mode (= direct filesystem-level access) altogether by opening firebird.conf and locating the Providers entry. The default (which is probably commented out) is:

  1. #Providers = Remote,Engine12,Loopback

Now, either remove the hash mark and the Engine12 provider (this is the one that makes the embedded connections), or — better — add an uncommented line:

  1. Providers = Remote,Loopback

The Remote provider takes care of remote connections; the Loopback provider is responsible for TCP/IP connections via localhost, as well as (on Windows) WNET/NetBEUI and XNET connections to databases on the local machine. All these connection types require full authentication and have the server process, not the user process, open the database file.

Please notice that you can also set the Providers parameter on a per-database basis. You can set a default in firebird.conf as shown above, and then override it for individual databases in databases.conf like this:

  1. bigbase = C:\Databases\Accounting\Biggus.fdb
  2. {
  3.   Providers = Engine12,Loopback
  4. }

The first line defines the alias (see next item), and everything between the curly brackets are parameters for that specific database. You’ll find databases.conf in the same directory as firebird.conf. Refer to the Release Notes, chapter Configuration Additions and Changes, section Per-database Configuration, for more information about the various parameters.

Use database aliases

Database aliases hide physical database locations from the client. Using aliases, a client can e.g. connect to “frodo:zappa” without having to know that the real location is frodo:/var/firebird/music/underground/mothers_of_invention.fdb. Aliases also allow you to relocate databases while the clients keep using their existing connection strings.

Aliases are listed in the file databases.conf, in this format on Windows machines:

  1. poker = E:\Games\Data\PokerBase.fdb
  2. blackjack.fdb = C:\Firebird\Databases\cardgames\blkjk_2.fdb

And on Linux:

  1. books = /home/bookworm/database/books.fdb
  2. zappa = /var/firebird/music/underground/mothers_of_invention.fdb

Giving the alias an .fdb (or any other) extension is fully optional. Of course if you do include it, you must also specify it when you use the alias to connect to the database.

Aliases, once entered and saved, take effect immediately. There is no need to restart the server.

Restrict database access

The DatabaseAccess parameter in firebird.conf can be set to Restrict to limit access to explicitly listed filesystem trees, or even to None to allow access to aliased databases only. Default is Full, i.e. no restrictions.

Note that this is not the same thing as the filesystem-level access protection discussed earlier: when DatabaseAccess is anything other than Full, the server will refuse to open any databases outside the defined scope even if it has sufficient rights on the database files.

Choose your authentication method(s)

Firebird supports three authentication methods when connecting to databases:

  1. Srp (Secure Remote Password): The user must identify him/herself with a Firebird username and password, which the server checks against the security database. The maximum effective password length is around 20 bytes, although you may specify longer passwords. Wire encryption is used.

  2. Win_Sspi (Windows Security Support Provider Interface): The user is logged in automatically with his Windows account name.

  3. Legacy_Auth: Insecure method used in previous Firebird versions. Passwords have a maximum length of 8 bytes and are sent unencrypted across the wire. Avoid this method if possible.

Two configuration parameters control Firebird’s authentication behaviour:

  • AuthServer determines how a user can connect to the local server. It is usually “Srp” or, on Windows machines, “Srp, Win_Sspi”. In the latter case, the user will be authenticated with his Windows login if he fails to supply user credentials (causing the Srp method, which is tried first, to fail).

  • AuthClient defines how the local client tries to authenticate the user when making a connection. It is usually “Srp, Win_Sspi, Legacy_Auth”, allowing the user to connect to pre-Firebird-3 servers on remote machines.

If Win_Sspi and/or Legacy_Auth are allowed on the server side, you must also set the WireCrypt parameter to Enabled or Disabled, but not Required.

Likewise, if a server (not a client!) supports Legacy_Auth, the UserManager parameter must be set to Legacy_UserManager instead of Srp. (The default Srp user manager can still be addressed by adding USING PLUGIN SRP to your user management commands.)

The AuthServer, AuthClient, WireCrypt and UserManager parameters are all set in firebird.conf en can be overridden per database in databases.conf.

Please notice: enabling Win_Sspi on the server activates the plugin but doesn’t grant Windows accounts any type of access to databases yet. Logging in to, say, the employee database without credentials (and making sure no embedded connection is made) will result in this error message:

  1. SQL> connect xnet://employee;
  2. Statement failed, SQLSTATE = 28000
  3. Missing security context for employee

In other words: “We know who you are (because the Win_Sspi plugin identified you) but you can’t come in.”

The solution is to create, as SYSDBA, a global mapping that gives any Windows account access to databases — but no special privileges — under the same name. This is done with the following command:

  1. create global mapping trusted_auth
  2. using plugin win_sspi
  3. from any user to user

Trusted_auth is just a chosen name for the mapping. You may use another identifier. From any user means that the mapping is valid for any user authenticated by the Win_Sspi plugin. To user indicates that every user will be made known under his own Windows account name in each database he connects to. If instead we had specified to user bob, then every Windows user authenticated by the Win_Sspi plugin would be bob in every database.

With the mapping in effect, the “Windows trusted” connection succeeds:

  1. SQL> connect xnet://employee;
  2. Database: xnet://employee, User: SOFA\PAUL
  3. SQL> select current_user from rdb$database;
  5. USER
  6. ===============================
  7. SOFA\PAUL

With embedded connections, i.e. serverless connections handled by Engine12, where the client process directly opens the database file, the user is also logged in under his Windows account name if he doesn’t provide a user name when connecting. However, this doesn’t require Win_Sspi to be enabled, nor does it need any explicit mapping:

  1. SQL> connect employee;
  2. Database: employee, User: PAUL
  3. SQL> select current_user from rdb$database;
  5. USER
  6. ===============================
  7. PAUL

Consider whether Windows administrators should have SYSDBA rights

In Firebird 2.1, if the (now defunct) configuration parameter Authentication was trusted or mixed, Windows administrators would automatically receive SYSDBA privileges in all databases, including the security database. In Firebird 2.5 and later, this is no longer the case. This reduces the risk that administrators with little or no Firebird knowledge mess up databases or user accounts.

If you still want to apply the automatic SYSDBA mapping as it was in Firebird 2.1, login as SYSDBA and give the command:

  1. create global mapping win_admin_sysdba
  2. using plugin win_sspi
  3. from predefined_group domain_any_rid_admins
  4. to user sysdba

This grants all Windows administrators automatic SYSDBA rights in every database (including the security database, so they can manage user accounts), provided that they are authenticated by the Win_Sspi plugin. To achieve this, they must connect

  • without supplying any user credentials, and

  • making sure that the Engine12 provider doesn’t kick in. This is easily achieved with a connection string like xnet://local-path-or-alias.

To give just one administrator — or indeed any user — full SYSDBA power, use this command:

  1. create global mapping frank_sysdba
  2. using plugin win_sspi
  3. from user "sofa\frank"
  4. to user sysdba

The double quotes are necessary because of the backslash in the user name. (Specifying just frank will be accepted by Firebird, but won’t result in a working mapping on most, if not all, Windows systems.)

You can drop any mapping with the command:

  1. DROP [GLOBAL] MAPPING mapping_name

E.g.:

  1. drop global mapping win_admin_sysdba;
  2. drop global mapping frank_sysdba;

The GLOBAL keyword is necessary if it concerns a global mapping and you’re not directly connected to the security database where the mapping is registered.