Issue Details (XML | Word | Printable)

Key: CORE-4648
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Volker Rehn
Votes: 0
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Firebird Core

no permission for CREATE access to DATABASE (for RDB$ADMIN)

Created: 23/Dec/14 01:15 PM   Updated: 11/Jun/15 11:57 AM
Component/s: Security
Affects Version/s: 3.0 Beta 1
Fix Version/s: 3.0 Beta 2

Environment: Win7 64Bit WI-T3.0.0.31374 Firebird 3.0 Beta 1

QA Status: Done with caveats
Test Details:
NB! Needs to be re-implemented because `grant create database to u4648;` cant be run on current FB version:
===
Statement failed, SQLSTATE = 0A000
unsuccessful metadata update
-GRANT failed
-feature is not supported
-Only grants to USER or ROLE are supported for CREATE DATABASE
===

Sub-Tasks  All   Open   

 Description  « Hide
RDB$ADMIN can't restore a database, which worked in Firebird 3 alpha build 31152.

Used isql of Firebird3 beta as sysdba to setup a new user xy, made xy admin by doing grant RDB$ADMIN to xy; alter user xy grant admin role.
This new user, although admin, is not allowed to restore a database. Verified in isql that xy is RDB$ADMIN by doing select * from sec$users.

This user does not have privilege to perform this operation on this object.no permission for CREATE access to DATABASE C:\WEB\DATA\DATA4.FDB.

sysdba *can* restore this database. xy *can* restore using gbak -C ... -role RDB$ADMIN ...

firebird.conf is modified, since I use legacy applications (php, Flamerobin, SQLHammer)

AuthServer = Legacy_Auth
AuthClient = Legacy_Auth
UserManager = Legacy_UserManager
CryptPlugin =
WireCrypt = Disabled

Perhaps something with the service mgr? This worked in Build 31152

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov added a comment - 23/Dec/14 01:33 PM
Volker, if "xy *can* restore using gbak -C ... -role RDB$ADMIN" what is a problem?

BTW, using legacy applications you still can use new security model. They should work wih fresh fbclient. If not - it's a bug.

Volker Rehn added a comment - 23/Dec/14 02:51 PM - edited
> if "xy *can* restore using gbak -C ... -role RDB$ADMIN" what is a problem?

applications do not always have access to the command line, it should not be necessary for restore.
But the point is, it seems that the RDB$ADMIN role is not properly conveyed from an application to the server, or for some other reason the server does not apply the admin role.

Please try this in Flamerobin: connect as a user who is rdb$admin, use this role, and
create user abc password 'xxx'

 I get

Engine Code : 336723987
Engine Message :
add record error
no permission for INSERT access to TABLE PLG$VIEW_USERS
unknown ISC error 0

related: admin xy only sees his own record when doing select sec$user_name from sec$users in Flamerobin. Running the same query in isql as admin xy shows all users.

> using legacy applications you still can use new security model. They should work wih fresh fbclient. If not - it's a bug.

this is the complete error msg trying to restore using Flamerobin
Engine Code : 335544352
Engine Message :
no permission for CREATE access to DATABASE data5
failed to create database data5
unknown ISC error 336330835

Alexander Peshkov added a comment - 26/Dec/14 03:35 PM
Please avoid placing information about more than one bug in single issue.

Volker Rehn added a comment - 04/Jan/15 05:25 PM
The issue with restoring a database as rdb$admin is not resolved, tested with snapshot 31529, please reopen subtask http://tracker.firebirdsql.org/browse/CORE-4651

I still get the same error msg as in my last comment. Are there additional requirements (configuration, placement of files) for this to work?

The other two bugs are resolved:
Running "create user abc ..." and "select * from sec$users" as rdb$admin from applications other than isql now work as expected.

Sorry for reporting several bugs in one ticket, I thought they were all symptoms of the same root cause.

Alexander Peshkov added a comment - 08/Jan/15 02:20 PM
I've made required fixes to firebird but that DOES NOT mean that it will be AT ONCE possible to restore database using flamerobin as you want. Some fixes are needed in flamerobin to make it learn to pass role name when restoring database (and to other services).

Volker Rehn added a comment - 08/Jan/15 03:42 PM
Great, thanks, I understand. Any application using the services_mgr for restore needs to call the API differently for this to work.