How comes that login with no rights cam give himself db_creator?
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator
rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator
server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
bumped to the homepage by Community♦ 16 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator
rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator
server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
bumped to the homepage by Community♦ 16 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator
rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator
server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator
rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator
server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
sql-server sql-server-2008-r2 security
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
215137
bumped to the homepage by Community♦ 16 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 16 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f94586%2fhow-comes-that-login-with-no-rights-cam-give-himself-db-creator%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
answered Mar 9 '15 at 21:45
HMan06HMan06
285
285
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f94586%2fhow-comes-that-login-with-no-rights-cam-give-himself-db-creator%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown