Installation and common DB operation
Server, Account Management
Security and Audit
Backup and Restore
Some Firebird SQL tools
There are 2 main types of builds: the “Superserver” and
the “Classic server”. We went for the Superserver
because it scales better with higher number of
connections (although it lacks SMP support).
extract the tarball
[chinsan@GST scripts]$ diff -ruN preinstall.sh.orig preinstall.sh
--- preinstall.sh.orig 2007-10-17 15:14:19.000000000 +0800
+++ preinstall.sh 2007-10-17 15:15:05.000000000 +0800
@@ -214,22 +214,6 @@
-# Check for presence of editor 'ex'
- ex <<EOS >/dev/null 2>&1
- if [ $? -ne 0 ]
- echo quot;+------------------- ERROR -----------------------+quot;
- echo quot;| Your system miss editor 'ex'. |quot;
- echo quot;| Please install it before running setup program. |quot;
- echo quot;+-------------------------------------------------+quot;
- exit 127
#== Main Pre =================================================================
@@ -239,7 +223,6 @@
# Ok so any of the following packages are a problem
# these don't work at least in the latest rpm manager, since it
service firebird start
or su -c quot;fbmgr -startquot; firebird
or su -c quot;fbmgr -start -forever -password SYSDBApasswordquot;
service firebird stop
or su -c quot;fbmgr -shut -password SYSDBApasswordquot; firebird
the default admin username:password pair for Firebird is SYSDBA:masterkey.
In fact, it’s ‘masterke’ as only the ﬁrst 8 characters are checked.
It is STRONGLY recommended that you change the SYSDBA password with:
% gsec -user SYSDBA -pass masterkey
GSEC> modify SYSDBA -pw newpassword
before doing anything serious with Firebird.
GSEC> add myuser -pass mypassword
If you still have SYSDBA password, it’s easy as SYSDBA can alter password of any
user. If not, you need to replace the security.fdb with a clean one (where you know
WARNING: you should not expose the SYSDBA
password in a publicly-readable ﬁle. So please ensure
this ﬁle is not world readable. Eventually this ﬁle
should not need to contain any passwords. As root user
alone should be suﬃcient privilege to stop/start the
Explanation of gsec switches:
-user should always be SYSDBA
-pass SYSDBA password
-mo modify user
-add add user
-del delete user
-pw password for user
Common DB operation(1)
interactive shell: isql
In isql, every SQL statement must end with a semicolon(;). if forgot the semicolon,
just type it after CON> prompt.
Note: Server name and path
SQL> connect hostname:”/path/to/employee.fdb” user ‘SYSDBA’ password ‘SYSDBApassword’;
If you run Classic Server on Linux, a fast, direct local connection is attempted if the database path does not
start with a hostname. This may fail if your Linux login doesn’t have suﬃcient access rights to the database ﬁle.
In that case, connect to localhost:/<path>. Then the server process (with Firebird 1.5 usually running as ﬁrebird)
will open the ﬁle. On the other hand, network-style connections may fail if a user created the database in
Classic local mode and the server doesn’t have enough access rights.
If you run Classic Server on Windows, you must specify a hostname (which may be localhost) plus a full path,
or the connection will fail.
Common DB operation(2)
In the CREATE DATABASE statement the quotes around path string, username,
and password are mandatory. This is diﬀerent from the CONNECT statement. ie.
SQL>CREATE DATABASE 'D:datatest.fdb' page_size 8192
CON>user 'SYSDBA' password 'masterkey';
make sure that the lock manager is not running and its semaphores have been removed. The former can
be accomplished with 'ps ax|grep fb' and 'kill'; the latter with 'ipcs -s' and 'ipcrm -s'.
“Statement failed, SQLCODE = -551 no permission for read-write access to xxoo
the server process doesn't have read or write access to the database ﬁle.
# chown ﬁrebird:ﬁrebird xxoo.fdb
“page xxx os of wrong type”?
1)gﬁx -v -f database.gdb
2)gﬁx -m -i database.gdb
or restore database
More FAQ on http://www.ﬁrebirdfaq.org/
How to hide list of users/
When you rename USERS table and create USERS view instead of it, you will allow users to modify their passwords as well as hide full list of users from PUBLIC. Each
user (except SYSDBA) will see only one (its own) record in isc4.gdb! New isc4.gdb will then look like this (simpliﬁed version):
CREATE TABLE USERS2 (
PASSWD VARCHAR(32) );
CREATE VIEW USERS AS
WHERE USER = ''
OR USER = 'SYSDBA'
OR USER = USER_NAME;
GRANT UPDATE(PASSWD, GROUP_NAME, UID, GID, FIRST_NAME, MIDDLE_NAME, LAST_NAME)
Real table USERS2 is visible only to SYSDBA. The condition
USER = USER_NAME
ensures that each user sees its own record. The condition
USER = 'SYSDBA'
ensures that SYSDBA can see all records. The condition
USER = ''
is important because USER variable contains empty string during password veriﬁcation!
You can look at full script to modify standard isc4.gdb here .
How to log login-attempts?
How to slow down intruders?
Once we are able to log who/when tried to login to database, we can use this information to
further restrict access. It is possible to e.g. count number of login attempts for given username
during last minute and refuse connection if this number is too high, thus effectively preventing
using brute force to break into database by scanning all possible passwords. So when
somebody tries to guess password by trying to login with different password combinations, it will
temporarily block that username from login; for this reason time interval and allowed login count
should be carefuly chosen to slow down intruder, but still do not restrict regular users too much
(e.g. when somebody just make typo in password). Similar system (more sophisticated, of
course) is used in OpenVMS OS. The relevant part of code in SP is as simple as this
DECLARE VARIABLE cnt INTEGER;
IF (cnt>=3) THEN EXIT;
where you can change constants 3 (allowed number of mistakes) and 0.0007 (approximately 1
minute). Full script is here. This procedure works (i.e. prevents access) for all users. One
possible modiﬁcation would be to choose one user (different than SYSDBA, because it is the
most endangered username) that is not restriced by that procedure, and that owns all
databases (and thus has rights to shutdown the database).
How to get a list of all roles
in a database?
Query the RDB$ROLES system table:
SELECT * FROM RDB$ROLES
How to get a list of roles
granted to a user?
You need to query the RDB$PRIVILEGES system
table. The following example shows all users and roles
granted to them:
SELECT u.RDB$USER, u.RDB$RELATION_NAME
FROM RDB$USER_PRIVILEGES u
WHERE u.RDB$PRIVILEGE = 'M'
ORDER BY 1, 2
Does Firebird support ﬁeld-level
Yes, it does for writing new values (UPDATE statements). To control the rights, use the GRANT and REVOKE statements:
GRANT UPDATE ON table1(ﬁeld1) TO USER1;
REVOKE UPDATE ON table2(ﬁeld2) TO USER2;
If you wish to limit users to certain ﬁelds when reading (SELECT), a common way is to use views:
create view v1 (limited column list)
And then grant user SELECT rights only for the view. With views, you can also limit which records (rows) can user see:
create view v1 (column,list)
where ...constraining clause...;
If you need really complex rules, you can setup up a stored procedure that would return NULLs for some columns to speciﬁc users.
Database limits & Data Type Speciﬁcs:
#InterBase Database Remote Protocol
Backup & Restore
GBAK is Firebird’s command line tool for online
backup and restore of a complete database.
gbak <options> -user <username> -password <password> <source> <destination>
For backups, <source> is the database you want to back up, <destination> is the ﬁle name of the backup ﬁle.
The usual extension is .,k for Firebird and .gbk for InterBase.
Only SYSDBA or the database owner can perform a backup. For multi-ﬁle databases, specify only the name of
the ﬁrst ﬁle as the database name.
Backup a database into a compressed format:
gbak -b db-srv://database.fdb /dev/stdout | gzip > /ﬁle.fbk.gz
For restores, <source> is the backup ﬁle and <destination> is the name of the database that is to be built up
from the backup ﬁle. You will have to specify the -C option for restore.
Restore a database into new ﬁlename:
zcat /ﬁle.fbk.gz | gbak -c /dev/stdin db-srv://new-database.fdb
Multi-ﬁle backup and restore: man gbak
commonly used extensions
Note that ﬁlename extensions used here are just recommended. Using uniﬁed extensions scheme helps guess
ﬁle type just by looking at its extension.
.fdb Firebird database
.gdb Firebird database, legacy extension from the
days when Fire-bird was Interbase. gdb actually
comes from Grotton database, named after the
company that created the software.
.fdb.2 Second ﬁle of multi-ﬁle database
.fdb.3 Third ﬁle of multi-ﬁle database
.fdb.N N-th ﬁle of multi-ﬁle database
.,k Firebird backup ﬁle
.gbk Legacy extension for backup ﬁle
Some Firebird SQL tool
EMS SQL Manager for InterBase/Firebird
FlameRobin: another GUI tool, open source.
ibWebAdmin: web frontend for the Firebird and
InterBase database servers, written in PHP
Firebird Documentation Set
The Firebird FAQ
Firebird SQL statement and function reference