Re: current security context is not trusted (cross db ownership ch
- From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
- Date: Tue, 11 Dec 2007 22:22:40 +0000 (UTC)
Dan Guzman (guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx) writes:
The reason cross-database chaining works without DB_CHAINING enabled is
that you turned on DB_CHAINING at the sever level with the sp_configure
'cross db ownership chaining' option. The Best Practice is to leave it
off at the server level and set DB_CHAINING at the database level with
ALTER DATABASE only in the specific cases where needed. Of course, you
should be aware of the security implications as described in the Books
Online.
To get DB chaining to work, you need to activate it both on server level
and database level. Books Online says:
The instance of SQL Server will recognize this setting when the cross
db ownership chaining server option is 0 (OFF). When cross db ownership
chaining is 1 (ON), all user databases can participate in
cross-database ownership chains, regardless of the value of this
option. This option is set by using sp_configure.
Which makes sense. Since DB-Chaining is a feature that can permit
a malicious database owner to get access to other people's databases,
the DBA needs to control it on server level.
If you are DBA and anyone who is a db_owner also are sysadmin members,
enabling 'cross db ownership chaining' is not likely to be a risk. But
if there are people who have control on their own databases, but have
no special privs outside that database, you do best to leave that option
off.
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- Follow-Ups:
- Re: current security context is not trusted (cross db ownership ch
- From: Dan Guzman
- Re: current security context is not trusted (cross db ownership ch
- References:
- Re: current security context is not trusted (cross db ownership chaini
- From: Dan Guzman
- Re: current security context is not trusted (cross db ownership ch
- From: Sam Tai
- Re: current security context is not trusted (cross db ownership ch
- From: Dan Guzman
- Re: current security context is not trusted (cross db ownership ch
- From: Sam Tai
- Re: current security context is not trusted (cross db ownership ch
- From: Dan Guzman
- Re: current security context is not trusted (cross db ownership chaini
- Prev by Date: Re: Unable to View Database Diagrams
- Next by Date: Re: Sp_changepassword
- Previous by thread: Re: current security context is not trusted (cross db ownership ch
- Next by thread: Re: current security context is not trusted (cross db ownership ch
- Index(es):
Relevant Pages
|
|
