Re: current security context is not trusted (cross db ownership ch

Dan Guzman (guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx) writes:
The reason cross-database chaining works without DB_CHAINING enabled is
that you turned on DB_CHAINING at the sever level with the sp_configure
'cross db ownership chaining' option. The Best Practice is to leave it
off at the server level and set DB_CHAINING at the database level with
ALTER DATABASE only in the specific cases where needed. Of course, you
should be aware of the security implications as described in the Books
Online.

To get DB chaining to work, you need to activate it both on server level
and database level. Books Online says:

The instance of SQL Server will recognize this setting when the cross
db ownership chaining server option is 0 (OFF). When cross db ownership
chaining is 1 (ON), all user databases can participate in
cross-database ownership chains, regardless of the value of this
option. This option is set by using sp_configure.

Which makes sense. Since DB-Chaining is a feature that can permit
a malicious database owner to get access to other people's databases,
the DBA needs to control it on server level.

If you are DBA and anyone who is a db_owner also are sysadmin members,
enabling 'cross db ownership chaining' is not likely to be a risk. But
if there are people who have control on their own databases, but have
no special privs outside that database, you do best to leave that option
off.

--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.

Relevant Pages

  • Re: current security context is not trusted (cross db ownership ch
    ... The instance of SQL Server will recognize this setting when the cross ... database option is ignored when 'cross db ownership chaining' of sp_configure is set to 1. ...
    (microsoft.public.sqlserver.security)
  • Re: current security context is not trusted (cross db ownership ch
    ... and database level. ... The instance of SQL Server will recognize this setting when the cross ... db ownership chaining server option is 0. ...
    (microsoft.public.sqlserver.security)
  • Re: Profile Trace: how to tell which database when filtering on user
    ... EXEC sp_configure 'Cross DB Ownership Chaining', ... But JOE has these privileges by virtue of membership in a db role. ... > having cross database ownership chaining enabled. ...
    (microsoft.public.sqlserver.security)
  • Re: current security context is not trusted (cross db ownership ch
    ... The reason cross-database chaining works without DB_CHAINING enabled is that you turned on DB_CHAINING at the sever level with the sp_configure 'cross db ownership chaining' option. ... The Best Practice is to leave it off at the server level and set DB_CHAINING at the database level with ALTER DATABASE only in the specific cases where needed. ... EXECUTE ON SCHEMA::MySchema TO MyUsers ...
    (microsoft.public.sqlserver.security)
  • Cross DB ownership chaining
    ... I am having trouble setting up cross db ownership chaining. ... Using SQL Server 2000 SP3a. ... Create new database A1. ... Grant select permission on vTableA to UserA. ...
    (microsoft.public.sqlserver.security)