Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Real errors during connect to security database are hidden by Srp user manager. Errors should be logged no matter what AuthServer is used. [CORE4964] #5255

Closed
firebird-automations opened this issue Oct 18, 2015 · 18 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @aafemt

Whichever error happen during attach to security database, user will get only confusing and misguiding "Your user name and password are not defined.". Thus it is almost impossible to diagnose problems with security database.

To reproduce the problem you can replace security database with any garbage file.

Commits: df2fb33 FirebirdSQL/fbt-repository@e4649b1

@firebird-automations
Copy link
Collaborator Author

Modified by: @aafemt

description: Whichever error happen during attach to security database, user will get only confusing and misguiding "Your user name and password are not defined.". Thus it is almost impossible to diagnose problems with security database. => Whichever error happen during attach to security database, user will get only confusing and misguiding "Your user name and password are not defined.". Thus it is almost impossible to diagnose problems with security database.

To reproduce the problem you can replace security database with any garbage file.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

This is as designed - in order to avoid potential problems with security actual reasons of inability to validate login/password are not broadcasted all over the world.
Instead they are written to server's firebird.log file, where any reasonable sysadmin can easily find them. For your particular sample I get:
localhost Mon Oct 19 13:11:12 2015
Database: /usr/home/firebird/Trunks/trunk/gen/Release/firebird/security3.fdb
file /usr/home/firebird/trunk/gen/Release/firebird/security3.fdb is not a valid database

PS. Debugging version does return that class of messages to the client.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Won't Fix [ 2 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @aafemt

On Windows with release build of current trunk run as an application I got nothing in firebird.log.

Edit: Legacy_UserManager indeed writes error into log. Srp as in default config - doesn't.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: Sean Leyne (seanleyne)

Alexander,

While I fully support the need to not broadcast security issues, the current error message is very misleading.

It would be better for another message to be returned ("Error occurred during login, please check server firebird.log for detail) which would clearly outline that the error is "system" related rather than simple user credentials. This would align with how other systems/OS deal with login errors (Windows reports "unable to connect to domain server" vs. "user credentials are invalid").

@firebird-automations
Copy link
Collaborator Author

Modified by: @aafemt

summary: Real errors during connect to security database are hidden => Real errors during connect to security database are hidden by Srp user manager

environment: Windows, default firebird.conf

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Fix Version: 3.0.0 [ 10048 ]

summary: Real errors during connect to security database are hidden by Srp user manager => Real errors during connect to security database are hidden by Srp user manager. Errors should be logged no matter what AuthServer is used.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Closed [ 6 ] => Reopened [ 4 ]

assignee: Alexander Peshkov [ alexpeshkoff ]

resolution: Won't Fix [ 2 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Reopened [ 4 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

> Instead they are written to server's firebird.log <...>
> file /usr/home/firebird/trunk/gen/Release/firebird/security3.fdb is not a valid database

Can NOT reproduce this on WI-V3.0.4.32963, tried SS & CS, for both UserManager = Legacy_UserManager and Srp.

Scenario:

* Use following parameters in the firebird.conf:
AuthServer = Legacy_Auth,Srp,Win_Sspi
UserManager = Legacy_UserManager,Srp
AuthClient = Legacy_Auth,Srp
WireCrypt = Disabled

* Restart FB service

* create database using default security.db, let its name will be: C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
SQL> create database 'localhost:C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb' user sysdba password 'masterkey';
SQL> show database;
Database: localhost:C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
Owner: SYSDBA
PAGE_SIZE 8192
Number of DB pages allocated = 180
. . .
Database not encrypted
Default Character set: NONE
SQL> quit;

* open %FIREBIRD_HOME%\databases.conf and change there "SecurityDatabase" attribute for just created DB.
Add following lines:

noacc = C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
{
SecurityDatabase = $(dir_secDb)/broken_sec.dat
}

* stop FB service, run: copy C:\MIX\firebird\fb30\security3.fdb C:\MIX\firebird\fb30\broken_sec.dat

* start FB service, make attachment to 'localhost:noacc' as SYSDBA and add two users with diff. plugins:
SQL> create or alter user foo_leg password '123' using plugin Legacy_UserManager;
SQL> create or alter user foo_srp password '123' using plugin Srp;
SQL> commit;
SQL> set list on;
SQL> select sec$user_name, sec$plugin from sec$users where sec$user_name starting with 'FOO';

SEC$USER\_NAME                   FOO\_LEG
SEC$PLUGIN                      Legacy\_UserManager

SEC$USER\_NAME                   FOO\_SRP
SEC$PLUGIN                      Srp

SQL\> quit;'

* check that we can make attachments using these users:

C:\\MIX\\firebird\\fb30\>C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_leg \-pas 123 \-q
Database: localhost:noacc, User: FOO\_LEG
SQL\> quit;

C:\\MIX\\firebird\\fb30\>C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_srp \-pas 123 \-q
Database: localhost:noacc, User: FOO\_SRP
SQL\> quit;

* stop FB service, make copy of broken_sec.dat:
copy C:\MIX\firebird\fb30\broken_sec.dat C:\MIX\firebird\fb30\broken_sec.bak

* replace content of broken_sec.dat with garbage, e.g. with plain text:

C:\\MIX\\firebird\\fb30\\fbsvcmgr \-? 1\>C:\\MIX\\firebird\\fb30\\broken\_sec\.dat 2\>&1

* start FB service

* try to connect using each of foo_leg & foo_srp. Result will be EXPECTED:

C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_leg \-pas 123 \-q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined\. Ask your database administrator to set up a Firebird login\.
SQL\> quit;

C:\\MIX\\firebird\\fb30\>C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_srp \-pas 123 \-q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined\. Ask your database administrator to set up a Firebird login\.
SQL\> quit;

* open firtebird.log. IT WILL BE EMPTY.
Why ?

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Deferred

Test Details: See comment 08/May/18 04:44 AM

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Pavel, please remove Legacy_Auth from your configuration (at all) and try again. Or at least place it after Srp.

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

Alex, it did not help.
This is current config:

AuthServer = Srp
UserManager = Srp
AuthClient = Srp
WireCrypt = Disabled

===

Result is the same: firebird.log remains EMPTY.
May be it is OS or bitness (Windows XP, 32 bit) that such affects ?

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Right now rechecked:
1. linux + legacy auth - recorded in firebird.log
2. windows using default config (ie SRP) - recorded in firebird.log

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

I've found the reason: value of parameter WireCrypt.
When it is Disabled that no record will be added into firebird.log, and client will get error:

C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird logi

Otherwise record *will* be added and error looks like this:

C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
Statement failed, SQLSTATE = 08006
Error occurred during login, please check server firebird.log for details

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Deferred => Done successfully

Test Details: See comment 08/May/18 04:44 AM =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Fix Version: 4.0 Beta 1 [ 10750 ]

Fix Version: 3.0.4 [ 10863 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment