Re: extended stored procedure catch 22
From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 02/17/05
- Previous message: Neil W.: "Re: extended stored procedure catch 22"
- In reply to: Neil W.: "Re: extended stored procedure catch 22"
- Next in thread: Neil W.: "Re: extended stored procedure catch 22"
- Reply: Neil W.: "Re: extended stored procedure catch 22"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Feb 2005 19:47:17 -0600
> Am I correct in saying that the only way to
> enable extended stored procedures from a UDF/Stored-Procedure is to enable
> chaining?
Yes, assuming that you don't grant execute permissions on the extended
stored procedure.
-- Hope this helps. Dan Guzman SQL Server MVP "Neil W." <neilw@netlib.com> wrote in message news:lrSQd.5118$SP4.4094@fe11.lga... > Thanks for the reply, Dan. Am I correct in saying that the only way to > enable extended stored procedures from a UDF/Stored-Procedure is to enable > chaining? > > ------------------------------------ > "Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in message >> Cross-database chaining is off by default in SQL 2000 SP3+ so that you > don't >> inadvertently open a security hole. You should enable 'db chaining' in > your >> user database only if you fully understand the security implications. >> >> The main cross-database chaining consideration with an sa-owned user >> database is that only sysadmin role members should have permissions to >> create dbo-owned objects in that database. The DBA should scrutinize >> database objects to ensure that only the intended commands can be > executed. >> As long as you've locked-down the user database, you can leverage >> cross-database chaining to provide needed application functionality while >> preventing direct ad-hoc extended stored procedure execution. >> >> -- >> Hope this helps. >> >> Dan Guzman >> SQL Server MVP >> >> "Neil W." <neilw@netlib.com> wrote in message >> news:e%23oF3H7EFHA.392@TK2MSFTNGP14.phx.gbl... >> > How does a stored procedure call an extended stored procedure, when the >> > stored procedure is not in master? (I dont want to give direct > permission >> > to the underlying extended stored procedure). >> > >> > It seems you have to turn on database chaining, yet there are articles > all >> > over the place saying database chaining is a security risk. "That's > quite >> > a >> > catch, our Catch-22". >> > >> > Any suggestions for the best approach? >> > >> > Thanks. >> > >> > >> > >> > >> >> > > >
- Previous message: Neil W.: "Re: extended stored procedure catch 22"
- In reply to: Neil W.: "Re: extended stored procedure catch 22"
- Next in thread: Neil W.: "Re: extended stored procedure catch 22"
- Reply: Neil W.: "Re: extended stored procedure catch 22"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
