确定当前正在进行的安全检查 (SQL Server)

发布于 2024-09-12 12:07:13 字数 1176 浏览 6 评论 0原文

我一直最讨厌 MS SQL Server 中的一件事就是安全性的工作方式。如果你有趣地看待服务器,安全上下文会不断切换,而且通常很难(无论如何对我来说)预测或调试。

在今天处理一个问题时,我想,“我希望我可以在代码中添加一行,以显示 SQL Server 在代码运行时使用的安全上下文。”存在这样的命令吗?例如,SELECT security_context()

更清楚一点...如果我位于存储过程中,因此受到 SP 所有者的安全上下文的约束,那么我想看到了。如果我在由 sp_executesql 调用的代码中,并且它导致安全性处于 SQL Server 服务帐户的上下文中,那么我希望看到这一点。

至少这样我也许能够弄清楚为什么 SQL Server 认为我不应该访问某些内容。

谢谢!


示例

-- Set up
CREATE USER Test_User WITHOUT LOGIN
CREATE TABLE Test_Security_Context (my_id INT)
INSERT INTO Test_Security_Context VALUES (1)
DENY SELECT ON Test_Security_Context TO Test_User
GO
CREATE PROCEDURE Test_Security_Context_SP
AS
  SELECT SUSER_SNAME()
  SELECT * FROM Test_Security_Context  -- This will return ok
  EXEC('SELECT SUSER_SNAME(); SELECT * FROM Test_Security_Context')  -- SUSER_SNAME() will match above but select fails
GO
GRANT EXECUTE ON Test_Security_Context_SP TO Test_User
GO

-- Switch to the new user
SETUSER 'Test_User'
GO

-- Do the test
EXEC Test_Security_Context_SP
GO

-- Clean up
SETUSER
DROP PROCEDURE Test_Security_Context_SP
DROP TABLE Test_Security_Context
DROP USER Test_User
GO

One thing that I've always hated more than just about anything in MS SQL Server is the way that security works. The security context constantly switches if you look at the server funny and it's often very hard (for me anyway) to predict or debug.

In dealing with an issue today, I though, "I wish I could just add a line to my code that would display the security context that SQL Server is using when this code runs." Does such a command exist? For example, SELECT security_context()

To be a little clearer... if I'm in a stored procedure and am therefor subject to the security context of the owner of the SP then I'd like to see that. If I'm in code that was called by sp_executesql and it's causing the security to be under the context of the SQL Server service account, then I would want to see that.

At least then I might be able to figure out why SQL Server thinks that I shouldn't have access to something.

Thanks!


EXAMPLE

-- Set up
CREATE USER Test_User WITHOUT LOGIN
CREATE TABLE Test_Security_Context (my_id INT)
INSERT INTO Test_Security_Context VALUES (1)
DENY SELECT ON Test_Security_Context TO Test_User
GO
CREATE PROCEDURE Test_Security_Context_SP
AS
  SELECT SUSER_SNAME()
  SELECT * FROM Test_Security_Context  -- This will return ok
  EXEC('SELECT SUSER_SNAME(); SELECT * FROM Test_Security_Context')  -- SUSER_SNAME() will match above but select fails
GO
GRANT EXECUTE ON Test_Security_Context_SP TO Test_User
GO

-- Switch to the new user
SETUSER 'Test_User'
GO

-- Do the test
EXEC Test_Security_Context_SP
GO

-- Clean up
SETUSER
DROP PROCEDURE Test_Security_Context_SP
DROP TABLE Test_Security_Context
DROP USER Test_User
GO

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

北方。的韩爷 2024-09-19 12:07:13

是的,有这样一对视图代表您当前的安全上下文,考虑 EXECUTE AS 或代码签名等所有细节:

您获得的每一次访问最终都源自这些结果返回中的一行。请注意,某些访问权限是通过硬编码角色成员身份隐式进行的(例如 db_datareader 数据库角色或 sysadmin 服务器角色)。

除此之外:

  • 所有权链与安全上下文无关:您不在 SP 所有者的“上下文”下。所有权链只是指出,对于与当前对象(SP、视图)属于同一所有者的对象,将跳过访问检查。
  • sp_executesql 不会以任何方式更改安全上下文

Yes, there is such a pair of views that represents your current security context, considering all the details like EXECUTE AS or code signing:

Every single access you get is ultimately derived from a row in the return of these results. Note that some access are implicit from hard coded role membership (like db_datareader database role or sysadmin server role).

Other that that:

  • ownership chaining is not related to security context: you are not under the 'context' of the SP owner. Ownership chaining simply states that access checks are skipped for objects owned by the same owner as current object (SP, View).
  • sp_executesql does not change the security context in any way
请恋爱 2024-09-19 12:07:13

不确定这是否是您所说的安全上下文的意思,但您可以检索与您的会话关联的用户,例如:

select SYSTEM_USER

这适用于 SQL Server 登录或 WIndows 登录。它甚至可以在以所有者身份执行的存储过程中运行。例如,

create procedure dbo.Test
with execute as owner
as
select SYSTEM_USER
go
exec dbo.Test
select SYSTEM_USER

打印:

sa
MyMachine\MyName

如果您正在查找 SQL Server 用来代表您执行操作的 Windows 帐户,您可以尝试从以下命令运行 whoami

EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE

EXEC master..xp_cmdshell 'whoami'

对于我来说,这将返回 < code>nt 权限\网络服务。

Not sure if this is what you mean by security context, but you can retrieve the user associated with your session like:

select SYSTEM_USER

This works for both a SQL Server login or a WIndows login. It even works inside stored procedures with execute as owner. For example,

create procedure dbo.Test
with execute as owner
as
select SYSTEM_USER
go
exec dbo.Test
select SYSTEM_USER

Prints:

sa
MyMachine\MyName

If you're looking for the Windows account that SQL Server is using to do things on your behalf, you could try to run whoami from the command like:

EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE

EXEC master..xp_cmdshell 'whoami'

For me, that returns nt authority\network service.

孤檠 2024-09-19 12:07:13

我认为您想使用 CURRENT_USER 来查看当前的安全上下文。这是一个示例:

SELECT CURRENT_USER AS 'Current User Name';
GO
EXECUTE AS LOGIN = 'junk'
GO
SELECT CURRENT_USER AS 'Current User Name';
GO
REVERT
SELECT CURRENT_USER AS 'Current User Name';
GO

带有输出(注意:我是 SQL Server 的管理员)

Current User Name
------------------
dbo

(1 row(s) affected)

Current User Name
------------------
Junk

(1 row(s) affected)

Current User Name
------------------
dbo

(1 row(s) affected)

I think you want to use CURRENT_USER to see the current security context. Here's an example:

SELECT CURRENT_USER AS 'Current User Name';
GO
EXECUTE AS LOGIN = 'junk'
GO
SELECT CURRENT_USER AS 'Current User Name';
GO
REVERT
SELECT CURRENT_USER AS 'Current User Name';
GO

with output (note: I'm admin on my SQL Server for this)

Current User Name
------------------
dbo

(1 row(s) affected)

Current User Name
------------------
Junk

(1 row(s) affected)

Current User Name
------------------
dbo

(1 row(s) affected)
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文