How comes that login with no rights cam give himself db_creator?How to add sysadmin to user in SQL Server...
Could the E-bike drivetrain wear down till needing replacement after 400 km?
How do you respond to a colleague from another team when they're wrongly expecting that you'll help them?
How do ground effect vehicles perform turns?
Fly on a jet pack vs fly with a jet pack?
Some numbers are more equivalent than others
Create all possible words using a set or letters
Melting point of aspirin, contradicting sources
What's the difference between 違法 and 不法?
Could solar power be utilized and substitute coal in the 19th Century
Why has "pence" been used in this sentence, not "pences"?
Ridge Regression with Gradient Descent Converges to OLS estimates
How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby?
Wrapping Cryptocurrencies for interoperability sake
Will the technology I first learn determine the direction of my future career?
What does this horizontal bar at the first measure mean?
We have a love-hate relationship
Why did the HMS Bounty go back to a time when whales are already rare?
Do the concepts of IP address and network interface not belong to the same layer?
Reply 'no position' while the job posting is still there
Is it improper etiquette to ask your opponent what his/her rating is before the game?
Drawing a topological "handle" with Tikz
How to color a curve
Open a doc from terminal, but not by its name
Constructing Group Divisible Designs - Algorithms?
How comes that login with no rights cam give himself db_creator?
How to add sysadmin to user in SQL Server 2008 when no sysadmin accounts existCREATE DATABASE Permission denied in database 'master' errorHow to change database owner for login and database created inside stored procedure?User can't see database in SQL Server 2008 R2Denied access sending dbmail while impersonated under a login with sysadmin privilegePermissions on sys.sysloginsHow to debug problems with SQL Server multiserver (Master and Target server) administration?Linked Server - login trying to access database that is not defaultSQL Server Login can't see databasesAvoiding Sysadmin Rights
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
I just created a new login using the GUI, which generates this script:
USE [master]
GO
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use [master]
GO
GRANT CREATE ANY DATABASE TO [tester]
GO
This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.
How is this even possible and how can I prevent it?
sql-server sql-server-2008-r2 security
sql-server sql-server-2008-r2 security
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
asked Mar 6 '15 at 13:13
user1261104user1261104
215137
215137
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
answered Mar 9 '15 at 21:45
HMan06HMan06
285
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f94586%2fhow-comes-that-login-with-no-rights-cam-give-himself-db-creator%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
answered Mar 9 '15 at 21:45
HMan06HMan06
285
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
answered Mar 9 '15 at 21:45
HMan06HMan06
285
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
answered Mar 9 '15 at 21:45
HMan06HMan06
285
By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.
answered Mar 9 '15 at 21:45
HMan06HMan06
285
answered Mar 9 '15 at 21:45
HMan06HMan06
285
answered Mar 9 '15 at 21:45
HMan06HMan06
285
answered Mar 9 '15 at 21:45
HMan06HMan06
285
285
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...
– user1261104
Mar 16 '15 at 9:26
add a comment |
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f94586%2fhow-comes-that-login-with-no-rights-cam-give-himself-db-creator%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
