Re: extended stored procedure catch 22

From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 02/16/05

Next message: Sophie Guo [MSFT]: "Re: extended stored procedure catch 22"
Previous message: Neil W.: "extended stored procedure catch 22"
In reply to: Neil W.: "extended stored procedure catch 22"
Next in thread: Sophie Guo [MSFT]: "Re: extended stored procedure catch 22"
Reply: Sophie Guo [MSFT]: "Re: extended stored procedure catch 22"
Reply: Neil W.: "Re: extended stored procedure catch 22"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 15 Feb 2005 18:37:55 -0600

Cross-database chaining is off by default in SQL 2000 SP3+ so that you don't
inadvertently open a security hole. You should enable 'db chaining' in your
user database only if you fully understand the security implications.

The main cross-database chaining consideration with an sa-owned user
database is that only sysadmin role members should have permissions to
create dbo-owned objects in that database. The DBA should scrutinize
database objects to ensure that only the intended commands can be executed.
As long as you've locked-down the user database, you can leverage
cross-database chaining to provide needed application functionality while
preventing direct ad-hoc extended stored procedure execution.

-- 
Hope this helps.
Dan Guzman
SQL Server MVP
"Neil W." <neilw@netlib.com> wrote in message 
news:e%23oF3H7EFHA.392@TK2MSFTNGP14.phx.gbl...
> How does a stored procedure call an extended stored procedure, when the
> stored procedure is not in master?  (I dont want to give direct permission
> to the underlying extended stored procedure).
>
> It seems you have to turn on database chaining, yet there are articles all
> over the place saying database chaining is a security risk. "That's quite 
> a
> catch, our Catch-22".
>
> Any suggestions for the best approach?
>
> Thanks.
>
>
>
>

Next message: Sophie Guo [MSFT]: "Re: extended stored procedure catch 22"
Previous message: Neil W.: "extended stored procedure catch 22"
In reply to: Neil W.: "extended stored procedure catch 22"
Next in thread: Sophie Guo [MSFT]: "Re: extended stored procedure catch 22"
Reply: Sophie Guo [MSFT]: "Re: extended stored procedure catch 22"
Reply: Neil W.: "Re: extended stored procedure catch 22"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Set Security For Table Created By Stored Procedure
... I have the need to delete database tables and re-create using a stored ... The stored procedure works great but after the original tables ... I am new to SQL security and would like to know if there's a way to set the ...
(microsoft.public.sqlserver.security)
Re: SP accessing other db
... You don't need to enable the server-wide cross-database chaining. ... It may be that the database owners are different. ... SQL Server MVP ... > restart the server because it is 24h/7d working server. ...
(microsoft.public.sqlserver.security)