Re: sa privileges and roles

From: Bonj (benjtaylor)
Date: 10/15/04

Next message: Jonathan Furman: "Re: Multiple SQL Operations, Single SPROC"
Previous message: Mal .mullerjannie_at_hotmail.com>: "RE: Query"
In reply to: Pranav: "sa privileges and roles"
Next in thread: Pranav: "Re: sa privileges and roles"
Reply: Pranav: "Re: sa privileges and roles"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 15 Oct 2004 17:10:21 +0100

If you have access to the sp_OA* procedures, you can execute any code you
want from within the context of the SQL server's machine itself, and thus
perform any operation you like as you can create a new connection, say by
using ADO, using the windows authentication of the administrator account
running the machine. This is because any COM object created is run by the
SQL server's machine.
That's why you have to be sysadmin to use them - because you physically
can't give them to people and expect them *not* be able to get sysadmin
permissions to do other things.
SQL server isn't particularly fast at using COM objects anyway - they should
really only be used as a 'last resort' type thing...

"Pranav" <pranavr@hotmail.com> wrote in message
news:e2c10da5.0410141956.1f4e776c@posting.google.com...
> Hi All,
> We have a security requirement that the user account used to connect
> to sql should not have sysadmin priv. Now, we peform operations in SQL
> that make use of things like
> sp_OACreate/sp_replicationdboption/sp_dropdevice etc.
> BOL says
> "Only members of the sysadmin fixed server role can execute
> sp_OACreate."
>
> What I want to do is create a role, give this role explicit execute
> permission on the specific sp_* and add my user account to this role
> (and revoke the sa privileges).
> Do you think this approach is ok? The concern raised was that the doc
> explicity asks for members of sysadmin. This is different from a
> statement like
>
> "Execute permissions default to members of the sysadmin and diskadmin
> fixed server roles."
>
> Thanks
> Pranav

Next message: Jonathan Furman: "Re: Multiple SQL Operations, Single SPROC"
Previous message: Mal .mullerjannie_at_hotmail.com>: "RE: Query"
In reply to: Pranav: "sa privileges and roles"
Next in thread: Pranav: "Re: sa privileges and roles"
Reply: Pranav: "Re: sa privileges and roles"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

sa privileges and roles
... We have a security requirement that the user account used to connect ... we peform operations in SQL ... "Only members of the sysadmin fixed server role can execute ...
(microsoft.public.sqlserver.programming)
Re: Opinions on approach, please...
... Create a data layer program per table, ... number of bind variable tokens in your dynamic SQL. ... then simply EXECUTE that without passing it any parameters? ... Hard code WHERE clauses. ...
(comp.lang.cobol)
Re: SQL Injection- Bypassing magic_quotes
... Because i was trying to execute: ... Don't terminate the query and you most ... Or try something like bobcat or one of the other SQL injection tools out ... Chief Information Security Officer ...
(Pen-Test)
Re: Opinions on approach, please...
... Create a data layer program per table, ... number of bind variable tokens in your dynamic SQL. ... then simply EXECUTE that without passing it any parameters? ... explicitly code dummy words as bind variable placekeepers, put the host variables on the ...
(comp.lang.cobol)
Re: Poor performance when executing stored procedure
... > Generally I would write stored procedures to do only one job. ... If SQL Server ... > which is even worse those sps can execute each other. ... > then executed spOrders which is executed in spCustomers and then got stuck ...
(microsoft.public.sqlserver.programming)