Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Incoherent security with Sybase 12.5.0.1

2 posts in Product Futures Discussion Last posting was on 2003-01-13 12:18:19.0Z
Fabrice Posted on 2003-01-08 10:39:40.0Z
From: "Fabrice" <fbidard@odyssey-group.com>
Subject: Incoherent security with Sybase 12.5.0.1
Date: Wed, 8 Jan 2003 11:39:40 +0100
Lines: 18
Organization: OAMS
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <Kw6mxPwtCHA.155@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: 62.50.73.30
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:192
Article PK: 93372

Sybase 12.5.0.l has new security features that allows to grant a non
sa_role user to execute dbcc commands. I'm trying to create a user, with no
sa_role, that can run a dbcc checkstorage. I used this new grant feature and
discovered that:
- the user can run dbcc checkstorage only if he is the owner of the dbccdb
database (looks OK)
- the user can run sp_dbcc_... reports, but only a user with sa_role can run
a sp_dbcc_runcheck !
- the user cannot use sp_dbcc_deletehistory on all databases without having
the sa_role !

It seems that the new security features of 12.5.0.1 are not really
coherent. Finaly, only a user with sa_role can execute the complete
checkstorage features ! Is there any plan to improve this ?

Fab


Anthony Mandic Posted on 2003-01-13 12:18:19.0Z
Message-ID: <3E22AE8B.C3249D22@start.com.au>
Date: Mon, 13 Jan 2003 23:18:19 +1100
From: Anthony Mandic <am_is_not@start.com.au>
Organization: Mandic Consulting Pty. Ltd.
X-Mailer: Mozilla 4.61 [en] (WinNT; I)
MIME-Version: 1.0
Subject: Re: Incoherent security with Sybase 12.5.0.1
References: <Kw6mxPwtCHA.155@forums.sybase.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Newsgroups: sybase.public.ase.product_futures_discussion
Lines: 24
NNTP-Posting-Host: 203-109-142-9.static.ihug.com.au 203.109.142.9
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:191
Article PK: 93366


Fabrice wrote:
>
> Sybase 12.5.0.l has new security features that allows to grant a non
> sa_role user to execute dbcc commands. I'm trying to create a user, with no
> sa_role, that can run a dbcc checkstorage. I used this new grant feature and
> discovered that:
> - the user can run dbcc checkstorage only if he is the owner of the dbccdb
> database (looks OK)
> - the user can run sp_dbcc_... reports, but only a user with sa_role can run
> a sp_dbcc_runcheck !
> - the user cannot use sp_dbcc_deletehistory on all databases without having
> the sa_role !
>
> It seems that the new security features of 12.5.0.1 are not really
> coherent. Finaly, only a user with sa_role can execute the complete
> checkstorage features ! Is there any plan to improve this ?

Without checking the souce, I would guess that the system sprocs you
mention are doing tests. If that's the case you can easily change
them.

-am © 2003