Re: extended stored procedure catch 22
From: Neil W. (neilw_at_netlib.com)
Date: 02/18/05
- Next message: Dan Guzman: "Re: extended stored procedure catch 22"
- Previous message: ESPNSTI: "Re: Tightening Service Account Rights / Startup Service Account Greyed Out"
- In reply to: Dan Guzman: "Re: extended stored procedure catch 22"
- Next in thread: Dan Guzman: "Re: extended stored procedure catch 22"
- Reply: Dan Guzman: "Re: extended stored procedure catch 22"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Feb 2005 20:18:15 -0500
And the downside of granting execute permissions on the extended procedures
is that would enable users to execute them directly, correct?
Thanks. I wanted to make sure I understand/
-------------------------------------
"Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in message
> > Am I correct in saying that the only way to
> > enable extended stored procedures from a UDF/Stored-Procedure is to
enable
> > chaining?
>
> Yes, assuming that you don't grant execute permissions on the extended
> stored procedure.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> "Neil W." <neilw@netlib.com> wrote in message
> news:lrSQd.5118$SP4.4094@fe11.lga...
> > Thanks for the reply, Dan. Am I correct in saying that the only way to
> > enable extended stored procedures from a UDF/Stored-Procedure is to
enable
> > chaining?
> >
> > ------------------------------------
> > "Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in message
> >> Cross-database chaining is off by default in SQL 2000 SP3+ so that you
> > don't
> >> inadvertently open a security hole. You should enable 'db chaining' in
> > your
> >> user database only if you fully understand the security implications.
> >>
> >> The main cross-database chaining consideration with an sa-owned user
> >> database is that only sysadmin role members should have permissions to
> >> create dbo-owned objects in that database. The DBA should scrutinize
> >> database objects to ensure that only the intended commands can be
> > executed.
> >> As long as you've locked-down the user database, you can leverage
> >> cross-database chaining to provide needed application functionality
while
> >> preventing direct ad-hoc extended stored procedure execution.
> >>
> >> --
> >> Hope this helps.
> >>
> >> Dan Guzman
> >> SQL Server MVP
> >>
> >> "Neil W." <neilw@netlib.com> wrote in message
> >> news:e%23oF3H7EFHA.392@TK2MSFTNGP14.phx.gbl...
> >> > How does a stored procedure call an extended stored procedure, when
the
> >> > stored procedure is not in master? (I dont want to give direct
> > permission
> >> > to the underlying extended stored procedure).
> >> >
> >> > It seems you have to turn on database chaining, yet there are
articles
> > all
> >> > over the place saying database chaining is a security risk. "That's
> > quite
> >> > a
> >> > catch, our Catch-22".
> >> >
> >> > Any suggestions for the best approach?
> >> >
> >> > Thanks.
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
> >
>
>
- Next message: Dan Guzman: "Re: extended stored procedure catch 22"
- Previous message: ESPNSTI: "Re: Tightening Service Account Rights / Startup Service Account Greyed Out"
- In reply to: Dan Guzman: "Re: extended stored procedure catch 22"
- Next in thread: Dan Guzman: "Re: extended stored procedure catch 22"
- Reply: Dan Guzman: "Re: extended stored procedure catch 22"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
