Firebird Documentation IndexGsec - Password File Utility → Gsec caveats
Firebird Home Firebird Home Prev: Running Gsec RemotelyFirebird Documentation IndexUp: Gsec - Password File UtilityNext: Document history

Gsec caveats

Normal Versus Privileged Users
Differences Between Batch And Interactive Mode
Batch Mode Exit Codes
Errors In Batch Mode Swap To Interactive Mode
Potential Security Problems

The following is a brief list of gotchas and funnies that I have detected in my own use of gsec. Some of these are mentioned above, others may not be. By collecting them all here in one place, you should be able to find out what's happening if you have problems.

Normal Versus Privileged Users

Only a privileged user can update the security database. Normal users can run the gsec utility, but can only list the contents under Firebird 1.5. The following shows what happens when trying to update the database when running gsec as a normal user.

C:\>gsec -user norman -password norman
GSEC> add myuser -pw mypassword
add record error
no permission for insert/write access to TABLE USERS

A normal users can only display details from the security database.

C:\>gsec -user norman -password norman -display
     user name                      uid   gid     full name
------------------------------------------------------------------------
SYSDBA                              0     0
NORMAN                              0     0      Norman  Dunbar
EPOCMAN                             0     0      Benoit Gilles Mascia

Note

From Firebird version 2 onwards, there are slight changes to the above. Normal users are now able to change their own passwords and can no longer display details of other users that may be present in the security database.

The above user, running under Firebird 2.0 would see the following :

C:\>gsec -user norman -password norman -display
     user name                      uid   gid     full name
------------------------------------------------------------------------
NORMAN                              0     0      Norman  Dunbar

Differences Between Batch And Interactive Mode

The gsec commands apply to both modes of operation, however, when running in batch mode, you must prefix the command name with a minus sign (-) or you will get an error message similar to the following :

C:\>gsec -user sysdba -password masterkey display
invalid parameter, no switch defined
error in switch specifications
GSEC>

Note also that you will be left in interactive mode when an error occurs. The correct command line should have a minus in front of the display command, as follows :

C:\>gsec -user sysdba -password masterkey -display
     user name                      uid   gid     full name
------------------------------------------------------------------------
SYSDBA                              0     0
NORMAN                              0     0      Norman  Dunbar
EPOCMAN                             0     0      Benoit Gilles Mascia

This time, gsec performed its duties, displayed all known users and quit from the utility.

Warning

If environment variables ISC_USER and ISC_PASSWORD have been defined, and this isn't a very good idea for security reasons, gsec can be run without passing the -user or -password options.

Warning

As with all of the command line utilities, it is best to use the version of the gsec utility that was supplied with your database.

Batch Mode Exit Codes

When running gsec under windows, you can trap the exit code in %ERRORLEVEL% and check it to determine the success or failure of the last command executed.

When your operating system is Unix - whatever flavour - the exit code is to be found in the $? variable.

Unfortunately, using the version of gsec supplied with Firebird 1.5, it appears that gsec always exits with a zero and this makes it quite unsuitable to build into a properly error trapped batch script on either system. Sad but true.

Note

From version 2.0 of Firebird, this has been corrected and an exit code of zero indicates success while non-zero values indicate failures.

Errors In Batch Mode Swap To Interactive Mode

Sometimes, when running in batch mode, an error condition in gsec will result in gsec switching over to interactive mode. This is not very useful if you started gsec in batch mode from a script, because your script will just sit there waiting on something to be typed.

Potential Security Problems

Up until Firebird 2.0, running any of the Firebird utilities with a password supplied on the command line meant that anyone logged on to the same server could call ps -efx|grep -i pass (or similar) and be able to see the SYSDBA or other passwords. From Firebird 2.0 this is no longer possible as Firebird now replaces the supplied password with spaces.

Prev: Running Gsec RemotelyFirebird Documentation IndexUp: Gsec - Password File UtilityNext: Document history
Firebird Documentation IndexGsec - Password File Utility → Gsec caveats