Issue Details (XML | Word | Printable)

Key: CORE-4964
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Minor Minor
Assignee: Alexander Peshkov
Reporter: Dimitry Sibiryakov
Votes: 0
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Real errors during connect to security database are hidden by Srp user manager. Errors should be logged no matter what AuthServer is used.

Created: 18/Oct/15 12:28 PM   Updated: 15/May/18 06:25 AM
Component/s: Engine
Affects Version/s: 3.0 RC1
Fix Version/s: 3.0 RC2, 3.0.4, 4.0 Beta 1

Environment: Windows, default firebird.conf

QA Status: Done successfully


 Description  « Hide
Whichever error happen during attach to security database, user will get only confusing and misguiding "Your user name and password are not defined.". Thus it is almost impossible to diagnose problems with security database.

To reproduce the problem you can replace security database with any garbage file.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov added a comment - 19/Oct/15 10:16 AM
This is as designed - in order to avoid potential problems with security actual reasons of inability to validate login/password are not broadcasted all over the world.
Instead they are written to server's firebird.log file, where any reasonable sysadmin can easily find them. For your particular sample I get:
localhost Mon Oct 19 13:11:12 2015
    Database: /usr/home/firebird/Trunks/trunk/gen/Release/firebird/security3.fdb
    file /usr/home/firebird/trunk/gen/Release/firebird/security3.fdb is not a valid database

PS. Debugging version does return that class of messages to the client.

Dimitry Sibiryakov added a comment - 19/Oct/15 10:30 AM - edited
On Windows with release build of current trunk run as an application I got nothing in firebird.log.

Edit: Legacy_UserManager indeed writes error into log. Srp as in default config - doesn't.

Sean Leyne added a comment - 19/Oct/15 02:51 PM
Alexander,

While I fully support the need to not broadcast security issues, the current error message is very misleading.

It would be better for another message to be returned ("Error occurred during login, please check server firebird.log for detail) which would clearly outline that the error is "system" related rather than simple user credentials. This would align with how other systems/OS deal with login errors (Windows reports "unable to connect to domain server" vs. "user credentials are invalid").

Pavel Zotov added a comment - 08/May/18 04:44 AM
> Instead they are written to server's firebird.log <...>
> file /usr/home/firebird/trunk/gen/Release/firebird/security3.fdb is not a valid database

Can NOT reproduce this on WI-V3.0.4.32963, tried SS & CS, for both UserManager = Legacy_UserManager and Srp.

Scenario:

* Use following parameters in the firebird.conf:
    AuthServer = Legacy_Auth,Srp,Win_Sspi
    UserManager = Legacy_UserManager,Srp
    AuthClient = Legacy_Auth,Srp
    WireCrypt = Disabled

* Restart FB service

* create database using default security.db, let its name will be: C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
    SQL> create database 'localhost:C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb' user sysdba password 'masterkey';
    SQL> show database;
    Database: localhost:C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
            Owner: SYSDBA
    PAGE_SIZE 8192
    Number of DB pages allocated = 180
    . . .
    Database not encrypted
    Default Character set: NONE
    SQL> quit;


* open %FIREBIRD_HOME%\databases.conf and change there "SecurityDatabase" attribute for just created DB.
Add following lines:

noacc = C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
{
SecurityDatabase = $(dir_secDb)/broken_sec.dat
}

* stop FB service, run: copy C:\MIX\firebird\fb30\security3.fdb C:\MIX\firebird\fb30\broken_sec.dat

* start FB service, make attachment to 'localhost:noacc' as SYSDBA and add two users with diff. plugins:
    SQL> create or alter user foo_leg password '123' using plugin Legacy_UserManager;
    SQL> create or alter user foo_srp password '123' using plugin Srp;
    SQL> commit;
    SQL> set list on;
    SQL> select sec$user_name, sec$plugin from sec$users where sec$user_name starting with 'FOO';

    SEC$USER_NAME FOO_LEG
    SEC$PLUGIN Legacy_UserManager

    SEC$USER_NAME FOO_SRP
    SEC$PLUGIN Srp

    SQL> quit;'

* check that we can make attachments using these users:

    C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_leg -pas 123 -q
    Database: localhost:noacc, User: FOO_LEG
    SQL> quit;

    C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
    Database: localhost:noacc, User: FOO_SRP
    SQL> quit;

* stop FB service, make copy of broken_sec.dat:
    copy C:\MIX\firebird\fb30\broken_sec.dat C:\MIX\firebird\fb30\broken_sec.bak

* replace content of broken_sec.dat with garbage, e.g. with plain text:

    C:\MIX\firebird\fb30\fbsvcmgr -? 1>C:\MIX\firebird\fb30\broken_sec.dat 2>&1

* start FB service

* try to connect using each of foo_leg & foo_srp. Result will be EXPECTED:

    C:\MIX\firebird\fb30\isql localhost:noacc -user foo_leg -pas 123 -q
    Statement failed, SQLSTATE = 28000
    Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
    SQL> quit;

    C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
    Statement failed, SQLSTATE = 28000
    Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
    SQL> quit;

* open firtebird.log. IT WILL BE EMPTY.
Why ?



Alexander Peshkov added a comment - 08/May/18 12:38 PM
Pavel, please remove Legacy_Auth from your configuration (at all) and try again. Or at least place it after Srp.

Pavel Zotov added a comment - 08/May/18 01:29 PM
Alex, it did not help.
This is current config:
===
    AuthServer = Srp
    UserManager = Srp
    AuthClient = Srp
    WireCrypt = Disabled
===

Result is the same: firebird.log remains EMPTY.
May be it is OS or bitness (Windows XP, 32 bit) that such affects ?



Alexander Peshkov added a comment - 08/May/18 03:19 PM
Right now rechecked:
1. linux + legacy auth - recorded in firebird.log
2. windows using default config (ie SRP) - recorded in firebird.log

Pavel Zotov added a comment - 08/May/18 03:59 PM - edited
I've found the reason: value of parameter WireCrypt.
When it is Disabled that no record will be added into firebird.log, and client will get error:

C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird logi

Otherwise record *will* be added and error looks like this:

C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
Statement failed, SQLSTATE = 08006
Error occurred during login, please check server firebird.log for details