Re: Exec permissions on Stored Procedure

From: Mark B <mark_bert@xxxxxxxxx>
Date: Wed, 6 Aug 2008 06:20:20 -0700 (PDT)

On Aug 5, 4:42 pm, Erland Sommarskog <esq...@xxxxxxxxxxxxx> wrote:

No, it's not a security hole, it's that you probably have not grasped
the mechanism wherby a user gets access to objects through stored
procedures.

We often think of it as "if a users the rights to execute a stored
procedure, he does not need access to the underlying table", but there is
a very important assumption which is tacitly understood: the table and
the procedure have the same owner. The mechanism is therefore also known
as *ownership chaining*.

--
Erland Sommarskog, SQL Server MVP, esq...@xxxxxxxxxxxxx

Books Online for SQL Server 2005 athttp://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books...
Books Online for SQL Server 2000 athttp://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Erland,

Thanks for the link. The explanation of ownership chaining explained
what I was running into. The stored procedure and the table had
different owners.

I'm still fuzzy on one thing if you could explain. Say you have a
situation where a stored procedure is performing an insert to a table
with a different owner and / or schema. Because of this the user (In
my case the aspnet machine account for a web app) must have insert
permission to the underlying table as well as execute permission to
the SP. With the SP, I can control what that account can insert, but
it seems if that account has insert permission to the table, if
someone got control of the account, would they not have a lot more
control over the table?

Thanks,

Mark B
.

Follow-Ups:
- Re: Exec permissions on Stored Procedure
  - From: Erland Sommarskog
- Re: Exec permissions on Stored Procedure
  - From: gv

References:
- Exec permissions on Stored Procedure
  - From: gv
- Re: Exec permissions on Stored Procedure
  - From: Mark B
- Re: Exec permissions on Stored Procedure
  - From: Erland Sommarskog

Prev by Date: RE: Cannot create linked server from SQL 2005 to SQL 2000
Next by Date: Re: Exec permissions on Stored Procedure
Previous by thread: Re: Exec permissions on Stored Procedure
Next by thread: Re: Exec permissions on Stored Procedure
Index(es):
- Date
- Thread

Relevant Pages

Re: Shared Folders in WorkGroup Network
... The file share has a lock that is the share permission on it. ... It is authenticated by the user account. ... This provides a user level share control over the original Windows 9x ... this authentication is done by checking the local user ...
(microsoft.public.win2000.networking)
Re: cant modify a users profile path
... You have two specific user account in the SBS domain that you cannot ... please try to verify the permission on those two specific user ... Search that administrator account to list its effective permissions. ... Check whether the administrator account have the full control ...
(microsoft.public.windows.server.sbs)
Re: cant modify a users profile path
... You have two specific user account in the SBS domain that you cannot change ... please try to verify the permission on those two specific user ... Check whether the administrator account have the full control ...
(microsoft.public.windows.server.sbs)
RE: Folder Redirection Problem
... The following accounts all have the same permissions which is Full Control, ... SBS Folder Operators ... > which kinds of account are listed in the permission list, ...
(microsoft.public.windows.server.sbs)
Re: regional setting
... account has the symptoms of not allowing regional setting via the control ... panel GUI interface. ... This ensures that the date separator and the date format are ...
(microsoft.public.windowsxp.help_and_support)