Firebird Documentation IndexGsec - Password File Utility → Interactive Mode
Firebird Home Firebird Home Prev: Gsec CommandsFirebird Documentation IndexUp: Gsec - Password File UtilityNext: Batch Mode

Interactive Mode

Displaying User Details
Adding New Users
Deleting Existing Users
Amending Existing Users
OS Admin Mapping
Help
Version Information

To run gsec in interactive mode, start the utility using the command line :

C:\>gsec -user sysdba -password masterkey
GSEC>

The GSEC> prompt shows that the utility is waiting for a command. The -user and -password options are those of the user who wishes to manipulate the security database. Obviously, the username supplied must be a valid SYSDBA user if updates are to be carried out. Normal users may only read the database.

Note

With Firebird 1.5 and Windows Vista this may not work correctly and an 'unavailable database' error will be displayed. The problem is caused by trying to use the IPCServer transport implemented in Firebird 1.5 which doesn't work on Vista. The solution is to use TCP local loopback.

  • Put an alias in aliases.conf for the path to your security.fdb, e.g. sec = C:\Program Files\Firebird\Firebird_1_5\security.fdb.

  • Call gsec using gsec -database localhost:sec -user SYSDBA -password masterkey

As localhost may not be available on some Vista workstations you may have to change localhost in the command above to use the actual host name or the IP address of the Vista computer.

To exit gsec in interactive mode, the quit command is used :

GSEC> quit
C:\>

The following sections show how to carry out various commands in interactive mode. It is assumed that you are already running the utility as a SYSDBA user.

Displaying User Details

Note

From Firebird 2.5 onwards, the display command shows an additional column named admin. This shows the text admin where a user has been granted the RDB$ADMIN role either within the database, or by using gsec. In the following examples, where it is necessary to show this detail, it will be shown, otherwise, all output examples are as per Firebird 2.0.

To display all users in the security database the command, and it's output are :

GSEC> display
     user name                      uid   gid     full name
------------------------------------------------------------------------
SYSDBA                              0     0
NORMAN                              0     0      Norman  Dunbar
EPOCMAN                             0     0      Benoit Gilles Mascia
GSEC> 

To display details of a single user, pass the username as a parameter to the display command.

GSEC> display epocman
     user name                      uid   gid     full name
------------------------------------------------------------------------
EPOCMAN                             0     0      Benoit Gilles Mascia
GSEC> 

If you enter the name of a non-existent user as a parameter of the display command, nothing is displayed and gsec remains in interactive mode.

GSEC> display alison
GSEC> 

Adding New Users

When adding a new user in interactive mode, nothing is displayed to confirm that the user was indeed added. You need to use the display or display <name> commands to make sure that the user was added successfully.

GSEC> add newuser -pw newuser -fname New -lname User
GSEC> 
GSEC> display newuser
     user name                      uid   gid     full name
------------------------------------------------------------------------
NEWUSER                             0     0      New  User
GSEC> 

From Firebird 2.5 onwards, a new role - RDB$ADMIN - has been added to the security database. Gsec allows you to indicate whether new users are assigned this role. The display command has also been modified to show whether a user had this role or not.

GSEC> add newadmin -pw secret -fname New -mname admin -lname User -admin yes
GSEC> 
GSEC> display newadmin
     user name                    uid   gid admin     full name
------------------------------------------------------------------------------------------------
NEWADMIN                            0     0 admin     New admin User
GSEC> 

Deleting Existing Users

When deleting a user in interactive mode, there is no confirmation that the user has been deleted. You should use the display or display <name> command to check.

GSEC> delete newuser
GSEC> 
GSEC> display
     user name                      uid   gid     full name
------------------------------------------------------------------------
SYSDBA                              0     0
NORMAN                              0     0      Norman  Dunbar
EPOCMAN                             0     0      Benoit Gilles Mascia
GSEC> 

If, on the other hand, you try to delete a non-existing user, gsec will display an error message, and exit.

GSEC> delete newuser
record not found for user: NEWUSER

C:\>

Amending Existing Users

Existing users can have one or more of their password, first name, middle name or lastname amended. There is no confirmation that your modification has worked, so you must use one of the display commands to determine how well it worked.

GSEC> modify norman -pw newpassword
GSEC> 
GSEC> modify norman -mname MiddleName -fname Fred
GSEC> 
GSEC> display norman
     user name                      uid   gid     full name
------------------------------------------------------------------------
NORMAN                              0     0      Fred MiddleName Dunbar
GSEC> 

If you wish to remove one or more of a user's attributes, don't pass a (new) value for that attribute.

GSEC> modify norman -mname -fname -lname
GSEC> display norman
     user name                      uid   gid     full name
------------------------------------------------------------------------
NORMAN                              0     0      
GSEC>

Now I can be known as 'the man with no name', just like Clint Eastwood !

From Firebird 2.5 onwards, a user's admin rights can be modified using this command:

GSEC> modify norman -admin yes
GSEC> display norman
     user name                    uid   gid admin     full name
------------------------------------------------------------------------------------------------
NORMAN                              0     0 admin     New admin User
GSEC> 

OS Admin Mapping

Note

Firebird 2.5.

Since Firebird 2.1, Windows domain administrators have had full access to the user management functions. This meant that when an admin user connected to the server and then used gsec, they had the ability to modify any user account in the security database.

From Firebird 2.5 they do not get these privileges automatically unless the DBA has configured the security database to make it happen automatically. This is done either in isql as follows:

SQL> SQL> alter role rdb$admin set auto admin mapping;
SQL> commit;

The command above will cause all Windows Administrator accounts to automatically have full access to the user management functions. The automatic mapping can be revoked as follows:

SQL> SQL> alter role rdb$admin drop auto admin mapping;
SQL> commit;

The functionality of the above isql commands can also be set using gsec, as follows, by using the -mapping command. The command takes a parameter of set or drop accordingly.

GSEC> mapping set

or:

GSEC> mapping drop

Help

The help command, in interactive mode, displays the same help screen as shown above. From Firebird 2.5, this can be abbreviated to a single question mark.

Version Information

The version of gsec can be obtained using the z command.

GSEC> z
gsec version  WI-V1.5.0.4306 Firebird 1.5
GSEC>

Or, in gsec from Firebird 2.5:

GSEC> z
gsec version LI-V2.5.0.26074 Firebird 2.5
GSEC>
Prev: Gsec CommandsFirebird Documentation IndexUp: Gsec - Password File UtilityNext: Batch Mode
Firebird Documentation IndexGsec - Password File Utility → Interactive Mode