Re: extended stored procedure catch 22

From: Neil W. (neilw_at_netlib.com)
Date: 02/17/05

  • Next message: Dan Guzman: "Re: extended stored procedure catch 22" 
    Date: Wed, 16 Feb 2005 20:25:36 -0500

    Thanks for the reply, Dan. Am I correct in saying that the only way to
    enable extended stored procedures from a UDF/Stored-Procedure is to enable
    chaining?

    ------------------------------------
    "Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in message
    > Cross-database chaining is off by default in SQL 2000 SP3+ so that you
    don't
    > inadvertently open a security hole. You should enable 'db chaining' in
    your
    > user database only if you fully understand the security implications.
    >
    > The main cross-database chaining consideration with an sa-owned user
    > database is that only sysadmin role members should have permissions to
    > create dbo-owned objects in that database. The DBA should scrutinize
    > database objects to ensure that only the intended commands can be
    executed.
    > As long as you've locked-down the user database, you can leverage
    > cross-database chaining to provide needed application functionality while
    > preventing direct ad-hoc extended stored procedure execution.
    >
    > --
    > Hope this helps.
    >
    > Dan Guzman
    > SQL Server MVP
    >
    > "Neil W." <neilw@netlib.com> wrote in message
    > news:e%23oF3H7EFHA.392@TK2MSFTNGP14.phx.gbl...
    > > How does a stored procedure call an extended stored procedure, when the
    > > stored procedure is not in master? (I dont want to give direct
    permission
    > > to the underlying extended stored procedure).
    > >
    > > It seems you have to turn on database chaining, yet there are articles
    all
    > > over the place saying database chaining is a security risk. "That's
    quite
    > > a
    > > catch, our Catch-22".
    > >
    > > Any suggestions for the best approach?
    > >
    > > Thanks.
    > >
    > >
    > >
    > >
    >
    >

  • Next message: Dan Guzman: "Re: extended stored procedure catch 22"

    Relevant Pages

    • Re: extended stored procedure catch 22
      ... >> user database only if you fully understand the security implications. ... >> preventing direct ad-hoc extended stored procedure execution. ...
      (microsoft.public.sqlserver.security)
    • Re: Extended Stored Procedure: Get the current db of the client
      ... I am not going after Gert Sue. ... the database context as a parameter if you need it, ... Did you ever write an extended stored procedure? ... different than an extended stored procedure, so that is not giving you want ...
      (microsoft.public.sqlserver.odbc)
    • Re: Extended Stored Procedure: Get the current db of the client
      ... the database context as a parameter if you need it, ... Did you ever write an extended stored procedure? ... database you own in order to get the current database context out of it. ... different than an extended stored procedure, so that is not giving you want ...
      (microsoft.public.sqlserver.odbc)
    • Re: Question
      ... I am executing this xp on a database ... > backup file and it's giving me a negative number????? ... the "Size" column is an INT, limited to just over a value of 2 billion. ...
      (microsoft.public.sqlserver.server)
    • Re: Extended Stored Procedure: Get the current db of the client
      ... this is not way you can get the database ... In general using wrapper SP's is a good practice for doing parameter ... It's a limitation of extended stored procedure programming ... with SQL Server 2000. ...
      (microsoft.public.sqlserver.odbc)