Firebird 3.0, 4.0 and 5.0 Windows installers do not set the SYSDBA password if it was previously installed (even if not currently installed)

[mrotteveel]

The Firebird 3.0 - 5.0 installers do not configure the SYSDBA password if a Firebird install has been run previously. Attempting to authenticate after installation results in error "Install incomplete. To complete security database initialization please CREATE USER. For details read doc/README.security_database.txt.", which indicates that the installer never attempted to create a SYSDBA user, or it failed without the installer failing.

I have tried it with:

• Firebird-3.0.9.33560_0_x64.exe
• Firebird-3.0.10.33601_0_x64.exe
• Firebird-3.0.11.33703_0_x64.exe
• Firebird-4.0.2.2816-0-x64.exe
• Firebird-4.0.3.2975-0-Win32.exe
• Firebird-4.0.3.2975-0-x64.exe
• Firebird-5.0.0.1227-ReleaseCandidate1-windows-x64.exe (the official RC1 installer)
• Firebird-5.0.0.1261-0-RC2-windows-x64.exe (latest snapshot for RC2)

To be clear, I'm performing a fresh install, and the installation directory itself did not exist prior to running the installer. I'm using the default installer options, except I'm entering a custom SYSDBA password. With the 5.0.0.1261 installer, I also tried installing in a folder not under UAC control to see if it would work there (it didn't).

It seems that if any Firebird installer (or maybe an installer of the same major version) has been run, it will no longer set the SYSDBA password, even if that previous installation has been uninstalled, or was installed in a different directory.

The desired behaviour would be that if the security database did not exist yet in the target installation directory, that the SYSDBA password is set.

[mrotteveel]

NB I did not check the Firebird 6.0 installer, so don't take its lack of mention as an indication that it works (or not) in that version.

[aafemt]

I still think that the problem is in SRP auth plugin which must either create necessary tables at first access or/and return normal "user not found" error.

[mrotteveel]

I still think that the problem is in SRP auth plugin which must either create necessary tables at first access or/and return normal "user not found" error.

No it is not. I first couldn't reproduce it with Firebird-4.0.3.2975-0-Win32.exe (it worked fine), and I thought it had to do with the existence or non-existence of the parent directory (e.g. C:\Program Files (x86)\Firebird), but then I tried it again after uninstalling and ensuring the parent directory did not exist anymore, and now it did not set the SYSDBA password.

In other words, it seems that once an installer has been run, it will no longer work, which to me suggests that the installer might look at registry keys or something and decide not to set SYSDBA then.

[reevespaul]

I think this might be a duplicate of #7726

A fix has been committed for that, and I had planned to check whether other versions were affected. Unfortunately, in addition to my usual workload, I've had a few other problems to deal with this last month.

I'll check 4.0.4 now and see if it is the same problem. If it is the fix should be easy enough.

[reevespaul]

I reproduced this once with 4.0.3 but when I went back to test again I failed to reproduce the problem. So a problem exists but I have not been able to precisely isolate the circumstances when it will appear.

Anyway I've improved the logic in the installer that tests for a pre-configured security database and committed it to v4.0-release. It should be testable in the next snapshot.

[mrotteveel]

It is indeed not consistently reproducible: I just retried with the 3.0.11 installer twice, and both times it did initialize the security database.

[krilbe]

Not sure it helps but I just upgraded from 3.0.8 to 3.0.11 on Windows 64 bit and had my sysdba password reset to masterkey.

[oliwe]

I just tested
Firebird-4.0.4.3010-0-x64
and SYSDBA password was not set.

Note: I tested this on my main productivety Win 11 system (where Firebird 3.0.10 was installed before) AND on a clean sandbox Win 11 untouched by any firebird stuff before.

[tomaszdubiel18]

Don't you think this is a critical problem?

[reevespaul]

On Mon, 29 Apr 2024 01:36:52 -0700 Tomasz Dubiel ***@***.***> wrote: Don't you think this is a critical problem?

It needs to be fixed before the next official releases. But reproducing the problem and testing it has proved to be difficult. Fb 4.0 has already been fixed, theoretically, but the fix was too late to make it into 4.0.4. I've already scheduled time this week to work on this for other versions. Paul -- Paul Reeves https://www.ibphoenix.com Supporting users of Firebird

[oliwe]

If there is a pre-release version of 4.0.5, I would be happy to test it.

[reevespaul]

Nothing at the moment. The nightly snapshot builds are just for the zip kits.
I'll see if I can make pre-release versions available by another means.

[moyzer]

Hi Paul,
I confirm this serious problem on the last Firebird-5.0.0.1306-0-windows-x86.
This is a Critical Vulnerability (URGENT)

It connect to a database, without password !

(In case of Devart / IBDAC Components / Delphi) Just put :
IBCConnection1.Username:='sysdba'; and it connect !

To reproduce scenario :

1. install as usually (from instaler) Firebird-2.5.9.27139_0_Win32.exe
2. Work on an old program I have, which uses FB 2.5, without any problem (with SYSDBA and masterkey)
3. Now i have a new program with FireBird 5.0, so :
4. I Unistall (from Control Panel) FireBird 2.5
5. Don'nt Delete Folder C:\Program Files (x86)\Firebird\Firebird_2_5
6. install as usually (from instaler) Firebird-5.0.0.1306-0-windows-x86.exe
7. Let all by default except : I choose "AsSuperClassic"
8. Define at the end of installaion the SYSDBA password
9. Then, my first installation of Firebird-5.0.0.1306-0 was working well (SYSDBA + password are required)

After this, i come back to my old program which works with Firebird-2.5,

1. I Unistall (from Control Panel) FireBird 5.0
2. Don'nt Delete Folder : C:\Program Files (x86)\Firebird\Firebird_5_0 (to keep my sysdba password previously defined)
3. install as usually (from instaler) Firebird-2.5.9.27139_0_Win32.exe

And So on... I switched between 2.5 and 5.0
Sometimes, i delete all folder C:\Program Files (x86)\Firebird to re-install 2.5 or 5.0 and sometimes no.

This is what i did to obtain this problem.
Hoping this will help you to solve it.
Many Thx.

Kind Regards
Zerrouki

---

Paul, yous said :
"Fb 4.0 has already been fixed, theoretically, but the fix was too late to make it into 4.0.4."
So, I tested the Firebird-4.0.4.3010-0-Win32.exe
But Problem persists.

[reevespaul]

Thanks for your detailed instructions. I shall see if I can reproduce this.

[aafemt]

It connect to a database, without password !

@moyzer By design Embedded mode doesn't need password.

[mrotteveel]

@moyzer

Hi Paul, I confirm this serious problem on the last Firebird-5.0.0.1306-0-windows-x86. This is a Critical Vulnerability (URGENT)

It connect to a database, without password !

That is an entirely different problem. The behaviour you describe means you're using Firebird Embedded to connect, and not Firebird server. Firebird Embedded does not use authentication.

That likely means you have configured your application to point to the fbclient.dll in the Firebird server installation directory, instead of using the one in %WINDIR%\System32, or even specifically in your application directory.

You need to either point to a different fbclient.dll or you need to ensure you use a connection url that includes the host name or XNET, that is, if you're currently connecting to C:\Somepath\yourdatabase.fdb, you need to use localhost:C:\Somepath\yourdatabase.fdb (legacy URL using TCP/IP), inet://localhost/C:\Somepath\yourdatabase.fdb (modern URL using TCP/IP), or xnet://C:\Somepath\yourdatabase.fdb (XNET, or local connection).

This changed with Firebird 3.0, because in Firebird 2.5 and earlier, you needed a separate build to be able to use embedded, but that is no longer the case since Firebird 3.0.

[moyzer]

@mrotteveel

God Bless you :)
Your analysis is relevant. You are right !

Yes, my application is pointing to fbClient.dll wich is on Server on : C:\Program Files (x86)\Firebird\Firebird_5_0\fbClient.dll
then, I as you said, I can connect without password. I never thought I was in embedded mode, with this.

As you suggested, I changed the library fbClient path to : IBCConnection1.ClientLibrary:='C:\Windows\SysWOW64\fbclient.dll';
then, all is fine (password is required).

IMHO, this shoud be well discribed on :
https://firebirdsql.org/file/documentation/html/en/firebirddocs/qsg5/firebird-5-quickstartguide.html
on $4.2. Windows.

Thx again, and sorry for any inconvinent.

[mrotteveel]

@moyzer It is already covered in https://firebirdsql.org/file/documentation/html/en/firebirddocs/qsg5/firebird-5-quickstartguide.html#qsg5-databases-connstrings-local

[moyzer]

@paul Reeves

Good news : I re-installed many times Firebird-5.0.0.1306-0-windows-x86.exe
(On Windows Pro 64 Version 10.0.19045 Build 19045)

without any problem : it define as expected the new SYSDBA password (at the end of installation).
Even if i come back to Firebird-2.5.9.27139_0_Win32.exe.

So sorry for disturbing ideas.

Kindest Regards
Zerrouki

Also, Thx @aafemt to have guessed the riddle.