FirebirdSql.Data.Services demands SYSDBA to list users, where RDB$ADMIN insufficient?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

FirebirdSql.Data.Services demands SYSDBA to list users, where RDB$ADMIN insufficient?

David Carr
When I am trying to use some of the FirebirdSql.Data.Services API (v5.6) against a Firebird v2.5.6 database, such as;

- FirebirdSql.Data.Services.FbServerProperties.GetDatabasesInfo()
- FirebirdSql.Data.Services.FbSecurity.GetUsersDbPath()

I get the error:
"Service isc_info_svc_svr_db_info requires SYSDBA permissions. Reattach to the Service Manager using the SYSDBA account."

This is even though I am logged in under the RDB$ADMIN ROLE.

More to the point, further, when I call
                FbUserData[] users = Globals.FbSecurity.DisplayUsers();
(NB: Where my Globals.FbSecurity returns a FirebirdSql.Data.Services.FbSecurity object)

I am provided with the full list of users when logged in as SYSDBA, but if logged in as another user under the RDB$ADMIN ROLE, I am returned only this given user in FbUserData[].

This is different from how things work in gsec. There, enumeration of users IS possible by connecting via the RDB$ADMIN role;
>gsec -user MyAdm -pass admpw -role rdb$admin -display 

As I can CREATE and DROP users under a user with the RDB$ADMIN ROLE, it seems strange that I cannot list them as well.

Is there any way of accessing the services API under a user other than SYSDBA? More to the point, I want to create users who have administrative function on the database (ie CREATE/DROP users) so that the SYSDBA user (and its password) are not in use/shared. But I need to be able to enumerate the list of users (eg FbSecurity.DisplayUsers()).

Thanks in advance,
David


Inline images 1

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|

Re: FirebirdSql.Data.Services demands SYSDBA to list users, where RDB$ADMIN insufficient?

Jiří Činčura-2
> This is different from how things work in gsec. There, enumeration of
> users
> IS possible by connecting via the RDB$ADMIN role;
> >gsec -user MyAdm -pass admpw -role rdb$admin -display

This gsec command is not connecting to remote database using services
API.

--
Mgr. Jiří Činčura
Independent IT Specialist

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|

Re: FirebirdSql.Data.Services demands SYSDBA to list users, where RDB$ADMIN insufficient?

David Carr
Hi Jiri,

I also posted on the Firebird Yahoo group, and received an informative response that from what the person looked at, they wrote that it seemed that the .NET Provider does not use the ROLE when connecting.

When I dig into the .NET Provider source, specifically the FbSecurity.DisplayUsers() call, I see that the call to FbService.Open() in turn calls FbService.BuildSpb() which does seem to set the ROLE if given (FbService.cs, line 98):

if ((_csManager?.Role.Length ?? 0) != 0)
spb.Append((byte)IscCodes.isc_spb_sql_role_name, _csManager.Role);

That being said, it doesn't seem to have an effect and even if logged in with role RDB$ADMIN, only the given user is returned (other than if SYSDBA).

Thoughts? Is there any way to list the users?

If not, can it be added as a features that if logged in with RDB$ADMIN role, that the users can be listed?

Thanks,
David


On 24 February 2017 at 01:13, Jiří Činčura <[hidden email]> wrote:
> This is different from how things work in gsec. There, enumeration of
> users
> IS possible by connecting via the RDB$ADMIN role;
> >gsec -user MyAdm -pass admpw -role rdb$admin -display

This gsec command is not connecting to remote database using services
API.

--
Mgr. Jiří Činčura
Independent IT Specialist

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|

Re: FirebirdSql.Data.Services demands SYSDBA to list users, where RDB$ADMIN insufficient?

Jiří Činčura-2
> if ((_csManager?.Role.Length ?? 0) != 0)
> spb.Append((byte)IscCodes.isc_spb_sql_role_name, _csManager.Role);
>
> That being said, it doesn't seem to have an effect and even if logged in
> with role RDB$ADMIN, only the given user is returned (other than if
> SYSDBA).
>
> Thoughts? Is there any way to list the users?
>
> If not, can it be added as a features that if logged in with RDB$ADMIN
> role, that the users can be listed?

Sure. But do your work and find what needs to be changed. Maybe the role
needs to be passed in other place and not only in SPB.

--
Mgr. Jiří Činčura
Independent IT Specialist

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider