473,385 Members | 1,357 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > microsoft sql server > questions > how to restrict evil create scripts?

Join Bytes to post your question to a community of 473,385 software developers and data experts.

How to restrict evil create scripts?

Hi,

For a service I'm working on I need to ask the user for their database
create script. It's used to re-create the users database schema in a
temporary database on a in-house server in an automated fashion.

For security reasons, I need to be sure that the create script can only
create tables, columns etc and not things like snooping in other
databases and/or formatting the server.

Can you give me pointers about what the minimum grants are to let good
script execute successfully and evil scripts fail?

Regards,

Ward
Aug 8 '06 #1
4 1587
Ward,

I would say as long as your permissions are set right you don't have to
worry. If your user only have rights in their own databases they
shouldn't be able to accessother user databases. Xp_Cmdshell which
would be able to delete files or run other OS commands is (by default)
only available to members of the sysadmin role.
So I would say create a empty datbase and grant the user only db_owner
or ddl_admin rights within the database.

Markus

Aug 8 '06 #2
Ward Bekker (wa**@NospaaMequanimity.nl) writes:
For a service I'm working on I need to ask the user for their database
create script. It's used to re-create the users database schema in a
temporary database on a in-house server in an automated fashion.

For security reasons, I need to be sure that the create script can only
create tables, columns etc and not things like snooping in other
databases and/or formatting the server.

Can you give me pointers about what the minimum grants are to let good
script execute successfully and evil scripts fail?
First of all, which version of SQL Server including service pack do you
have?

As M.Bohse said, run the scripts as a user who only have access in that
database, although in that database he need some privs. Very important:
make sure that cross-database chaining is turned off, and that the
database is not set as trustworthy on SQL 2005.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Aug 8 '06 #3
Hi Erland,

Thanks for the tips!

We are running SQL Server 2005.

Ward

Erland Sommarskog wrote:
Ward Bekker (wa**@NospaaMequanimity.nl) writes:
>For a service I'm working on I need to ask the user for their database
create script. It's used to re-create the users database schema in a
temporary database on a in-house server in an automated fashion.

For security reasons, I need to be sure that the create script can only
create tables, columns etc and not things like snooping in other
databases and/or formatting the server.

Can you give me pointers about what the minimum grants are to let good
script execute successfully and evil scripts fail?

First of all, which version of SQL Server including service pack do you
have?

As M.Bohse said, run the scripts as a user who only have access in that
database, although in that database he need some privs. Very important:
make sure that cross-database chaining is turned off, and that the
database is not set as trustworthy on SQL 2005.

Aug 9 '06 #4
Ward Bekker (wa**@NospaaMequanimity.nl) writes:
Hi Erland,

Thanks for the tips!

We are running SQL Server 2005.
In that case you should grant CONTROL on the dbo schema for the database
user. Maybe they are creating other scheams, but then they need to include
GRANTs for that.

You should also use

select name, is_trustworthy_on, is_db_chaining_on
from sys.databases

to make sure that the databases are not marked as trustworthy, or available
for DB-chaning.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Aug 9 '06 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
restrict access to directory
by: Chris Harris | last post by:
I think I have more or less got to grips with basic session management, but I have a problem protecting a whole directory. I am making a website with a members area. I have used some basic...
PHP
1
python scripting game The Temple Of Elemental Evil update
by: O'Neal Computer Programmer | last post by:
I was reading here: http://groups.google.com/groups?q=elemental+group:comp.lang.python.*&hl=en&lr=&ie=UTF-8&group=comp.lang.python.*&selm=mailman.1044572235.32593.python-list%40python.org&rnum=3...
Python
0
Temple of Elemental Evil and Python
by: O'Neal Computer Programmer | last post by:
*** First of all, if there is a previous post on Temple of Elemental Evil, please provide a link to that/them so in order to create a larger resource on this game. Thanks! (Merci) ;-) *** Temple...
Python
7
Why is 'eval' evil?
by: Reply Via Newsgroup | last post by:
This might sound sad... someone requesting a disertation on the 'eval' statement... but... I've been reading someone else's post - they had a huge calander like script and a handful of folk cursed...
Javascript
28
restrict
by: gc | last post by:
Hi, What is the purpose of the restrict keyword? gc
C / C++
4
how to restrict enum conversions ?
by: O. Zimmermann | last post by:
Hi all, A variable with an enumerated type can be set with a value from any other generic "enum" type in the program, or with an integer value, without notice to the user, neither at compilation...
C / C++
41
Are gotos truly evil?
by: Mark R. Dawson | last post by:
I have never used a goto statement in my code, one of the first things I was told in my software classes a number of years ago was "goto statements are evil and lead to spagetti code - do not use...
C# / C Sharp
8
restrict record deletions between tables.
by: shorti | last post by:
Here is an example of what I want to do (syntax might not be entirely correct as this is just an example): CREATE TABLE ParentA ( name CHAR (6) NOT NULL; address CHAR(64); ) IN CUSTOMER_TS...
DB2 Database
27
Avoiding evil macros
by: Cephalobus_alienus | last post by:
Hello, I know that macros are evil, but I recently came across a problem that I couldn't figure out how to solve with templates. I wanted to create a set of singleton event objects, and wrote...
C / C++
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!