Yukon Security (Impersonate permissions)
-
Hey there,
Havn't had a chance to play with sql 2005 yet, but I'm reading you can execute procedure as user = 'any user'. That's great for dynamic sql inside the stored procedure, but doesn't it mean anyone who has Impersonate permissions can execute procedure as dbo ?
So now, since principles don't need to have rights on specific objects, they can just go:
execure as user = 'dbo'
truncate table dbo.ReallyImportantData
??
-
The following was tested using the April SQL 2005 CTP:
-- Step #1: Created WeakUser Login
CREATE
LOGIN WeakUser WITH PASSWORD = 'Password1';
CREATE USER WeakUser;
-- Step #2: Log on as WeakUser Login
-- Step #3: Attempt to Execute as 'DBO'
execute
as user = 'DBO'
-- Step #4: Permission Denied since "WeakUser" does not have authority
Msg 15517, Level 16, State 1, Line 1
Cannot execute as the database principal because the principal "dbo"
does not exist, this type of principal cannot be impersonated,
or
you do not have permission.
Rick Phillips
Rick Phillips
-
what happens after Step#3 I execute
execute as login='DBO'
and continue ...
execute as user='DBO'
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply