Firebird

9,930 views

Published on

A Quick Tutorial for firebird RDMBS

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total views
9,930
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
138
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Firebird

  1. 1. FIREBIRD RDBMS Quick Tutorial chinsan
  2. 2. Firebird DBA Installation and common DB operation Server, Account Management Troubleshooting Security and Audit Backup and Restore Some Firebird SQL tools
  3. 3. Installation There are 2 main types of builds: the “Superserver” and the “Classic server”. We went for the Superserver because it scales better with higher number of connections (although it lacks SMP support). FirebirdSS-1.5.4.4910-0.i686.tar.gz extract the tarball
  4. 4. [chinsan@GST scripts]$ diff -ruN preinstall.sh.orig preinstall.sh --- preinstall.sh.orig 2007-10-17 15:14:19.000000000 +0800 +++ preinstall.sh 2007-10-17 15:15:05.000000000 +0800 @@ -214,22 +214,6 @@ } -#------------------------------------------------------------------------ -# Check for presence of editor 'ex' - -checkForEx() { - ex <<EOS >/dev/null 2>&1 -q -EOS - if [ $? -ne 0 ] - then - echo quot;+------------------- ERROR -----------------------+quot; - echo quot;| Your system miss editor 'ex'. |quot; - echo quot;| Please install it before running setup program. |quot; - echo quot;+-------------------------------------------------+quot; - exit 127 - fi -} #== Main Pre ================================================================= @@ -239,7 +223,6 @@ ArchiveDateTag=`date +quot;%Y%m%d_%H%Mquot;` ArchiveMainFile=quot;${FBRootDir}_${ArchiveDateTag}.tar.gzquot; - checkForEx # Ok so any of the following packages are a problem # these don't work at least in the latest rpm manager, since it
  5. 5. Server Start Server service firebird start or su -c quot;fbmgr -startquot; firebird or su -c quot;fbmgr -start -forever -password SYSDBApasswordquot; firebird Stop Server service firebird stop or su -c quot;fbmgr -shut -password SYSDBApasswordquot; firebird
  6. 6. Account management the default admin username:password pair for Firebird is SYSDBA:masterkey. In fact, it’s ‘masterke’ as only the first 8 characters are checked. It is STRONGLY recommended that you change the SYSDBA password with: % gsec -user SYSDBA -pass masterkey GSEC> modify SYSDBA -pw newpassword GSEC> quit before doing anything serious with Firebird. Add user: % gsec GSEC> add myuser -pass mypassword GSEC> quit Forget password? If you still have SYSDBA password, it’s easy as SYSDBA can alter password of any user. If not, you need to replace the security.fdb with a clean one (where you know the password).
  7. 7. SYSDBA bin/changeDBAPassword.sh /etc/init.d/firebird ISC_PASSWORD=foobar WARNING: you should not expose the SYSDBA password in a publicly-readable file. So please ensure this file is not world readable. Eventually this file should not need to contain any passwords. As root user alone should be sufficient privilege to stop/start the server.
  8. 8. gsec Explanation of gsec switches: -user should always be SYSDBA -pass SYSDBA password -mo modify user -add add user -del delete user -pw password for user
  9. 9. Common DB operation(1) interactive shell: isql In isql, every SQL statement must end with a semicolon(;). if forgot the semicolon, just type it after CON> prompt. databse connection: Note: Server name and path SQL> connect hostname:”/path/to/employee.fdb” user ‘SYSDBA’ password ‘SYSDBApassword’; Important: If you run Classic Server on Linux, a fast, direct local connection is attempted if the database path does not start with a hostname. This may fail if your Linux login doesn’t have sufficient access rights to the database file. In that case, connect to localhost:/<path>. Then the server process (with Firebird 1.5 usually running as firebird) will open the file. On the other hand, network-style connections may fail if a user created the database in Classic local mode and the server doesn’t have enough access rights. If you run Classic Server on Windows, you must specify a hostname (which may be localhost) plus a full path, or the connection will fail.
  10. 10. Common DB operation(2) quit: SQL> QUIT; In the CREATE DATABASE statement the quotes around path string, username, and password are mandatory. This is different from the CONNECT statement. ie. SQL>CREATE DATABASE 'D:datatest.fdb' page_size 8192 CON>user 'SYSDBA' password 'masterkey';
  11. 11. Troubleshooting “semget failed”? make sure that the lock manager is not running and its semaphores have been removed. The former can be accomplished with 'ps ax|grep fb' and 'kill'; the latter with 'ipcs -s' and 'ipcrm -s'. “Statement failed, SQLCODE = -551 no permission for read-write access to xxoo database”? the server process doesn't have read or write access to the database file. # chown firebird:firebird xxoo.fdb “page xxx os of wrong type”? a)backup b)Fix database: 1)gfix -v -f database.gdb 2)gfix -m -i database.gdb or restore database More FAQ on http://www.firebirdfaq.org/
  12. 12. Security and Audit
  13. 13. shell security bash: ln -s /dev/null ~/.bash_history :> ~/.bash_history history -c csh/tcsh: ln -s /dev/null ~/.history :>~/.histroy or hostory -c
  14. 14. How to hide list of users/ passwords? When you rename USERS table and create USERS view instead of it, you will allow users to modify their passwords as well as hide full list of users from PUBLIC. Each user (except SYSDBA) will see only one (its own) record in isc4.gdb! New isc4.gdb will then look like this (simplified version): CREATE TABLE USERS2 ( USER_NAME VARCHAR(128), PASSWD VARCHAR(32) ); CREATE VIEW USERS AS SELECT * FROM USERS2 WHERE USER = '' OR USER = 'SYSDBA' OR USER = USER_NAME; GRANT SELECT ON USERS TO PUBLIC; GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME) ON USERS TO PUBLIC; Real table USERS2 is visible only to SYSDBA. The condition USER = USER_NAME ensures that each user sees its own record. The condition USER = 'SYSDBA' ensures that SYSDBA can see all records. The condition USER = '' is important because USER variable contains empty string during password verification! You can look at full script to modify standard isc4.gdb here .
  15. 15. How to log login-attempts? http://www.volny.cz/iprenosil/interbase/ip_ib_isc4.htm#_ibisc4_log
  16. 16. How to slow down intruders? Once we are able to log who/when tried to login to database, we can use this information to further restrict access. It is possible to e.g. count number of login attempts for given username during last minute and refuse connection if this number is too high, thus effectively preventing using brute force to break into database by scanning all possible passwords. So when somebody tries to guess password by trying to login with different password combinations, it will temporarily block that username from login; for this reason time interval and allowed login count should be carefuly chosen to slow down intruder, but still do not restrict regular users too much (e.g. when somebody just make typo in password). Similar system (more sophisticated, of course) is used in OpenVMS OS. The relevant part of code in SP is as simple as this DECLARE VARIABLE cnt INTEGER; SELECT COUNT(*) FROM log_table WHERE uname=:un AND tstamp>CURRENT_TIMESTAMP-0.0007 INTO :cnt; IF (cnt>=3) THEN EXIT; where you can change constants 3 (allowed number of mistakes) and 0.0007 (approximately 1 minute). Full script is here. This procedure works (i.e. prevents access) for all users. One possible modification would be to choose one user (different than SYSDBA, because it is the most endangered username) that is not restriced by that procedure, and that owns all databases (and thus has rights to shutdown the database).
  17. 17. How to get a list of all roles in a database? Query the RDB$ROLES system table: SELECT * FROM RDB$ROLES
  18. 18. How to get a list of roles granted to a user? You need to query the RDB$PRIVILEGES system table. The following example shows all users and roles granted to them: SELECT u.RDB$USER, u.RDB$RELATION_NAME FROM RDB$USER_PRIVILEGES u WHERE u.RDB$PRIVILEGE = 'M' ORDER BY 1, 2
  19. 19. Does Firebird support field-level access rights? Yes, it does for writing new values (UPDATE statements). To control the rights, use the GRANT and REVOKE statements: GRANT UPDATE ON table1(field1) TO USER1; REVOKE UPDATE ON table2(field2) TO USER2; If you wish to limit users to certain fields when reading (SELECT), a common way is to use views: create view v1 (limited column list) as select limited,column,list from t1; And then grant user SELECT rights only for the view. With views, you can also limit which records (rows) can user see: create view v1 (column,list) as select column,list from t1 where ...constraining clause...; If you need really complex rules, you can setup up a stored procedure that would return NULLs for some columns to specific users.
  20. 20. Firebird Technical Specifications Database limits & Data Type Specifics: http://www.firebirdsql.org/index.php?op=guide&id=techspec gds_db 3050/tcp #InterBase Database Remote Protocol
  21. 21. Backup & Restore GBAK is Firebird’s command line tool for online backup and restore of a complete database. General syntax: gbak <options> -user <username> -password <password> <source> <destination> Backup: For backups, <source> is the database you want to back up, <destination> is the file name of the backup file. The usual extension is .,k for Firebird and .gbk for InterBase. Only SYSDBA or the database owner can perform a backup. For multi-file databases, specify only the name of the first file as the database name. Backup a database into a compressed format: gbak -b db-srv://database.fdb /dev/stdout | gzip > /file.fbk.gz
  22. 22. Restore Restore: For restores, <source> is the backup file and <destination> is the name of the database that is to be built up from the backup file. You will have to specify the -C option for restore. Restore a database into new filename: zcat /file.fbk.gz | gbak -c /dev/stdin db-srv://new-database.fdb Multi-file backup and restore: man gbak
  23. 23. commonly used extensions Note that filename extensions used here are just recommended. Using unified extensions scheme helps guess file type just by looking at its extension. .fdb Firebird database .gdb Firebird database, legacy extension from the days when Fire-bird was Interbase. gdb actually comes from Grotton database, named after the company that created the software. .fdb.2 Second file of multi-file database .fdb.3 Third file of multi-file database .fdb.N N-th file of multi-file database .,k Firebird backup file .gbk Legacy extension for backup file
  24. 24. Some Firebird SQL tool EMS SQL Manager for InterBase/Firebird http://www.sqlmanager.net/en/products/ibfb/manager/download/ FlameRobin: another GUI tool, open source. http://www.flamerobin.org/ ibWebAdmin: web frontend for the Firebird and InterBase database servers, written in PHP http://www.ibwebadmin.net/
  25. 25. Reference Firebird Documentation Set http://www.firebirdsql.org/manual/ The Firebird FAQ http://www.firebirdfaq.org/ Firebird SQL statement and function reference http://www.ibphoenix.com/main.nfs? a=ibphoenix&page=ibp_60_sqlref

×