Sign in
Laurentiu Cristofor's blog @microsoft.com
Current topics: Security, SQL Server, bing
Translate This Page
Translate this page
Powered by
Microsoft® Translator
Options
Blog Home
About
Share this
RSS for posts
Atom
RSS for comments
Search
Tags
announcements
basic SQL Server security concepts
bing
computer security
encryption
Microsoft products
privacy
search engines
software engineering
SQL Server
SQL Server - cryptography
SQL Server - general
SQL Server - security
Archive
Archives
August 2011
(1)
October 2010
(1)
August 2010
(1)
March 2010
(1)
December 2009
(1)
October 2009
(3)
August 2009
(2)
July 2009
(1)
June 2009
(1)
August 2008
(2)
June 2008
(1)
May 2008
(1)
April 2008
(1)
March 2008
(1)
February 2008
(5)
January 2008
(4)
November 2007
(2)
October 2007
(4)
September 2007
(3)
July 2007
(1)
April 2007
(2)
March 2007
(1)
February 2007
(2)
December 2006
(1)
November 2006
(1)
October 2006
(3)
July 2006
(2)
May 2006
(1)
April 2006
(2)
March 2006
(2)
January 2006
(1)
December 2005
(5)
October 2005
(3)
September 2005
(5)
July 2005
(1)
June 2005
(4)
SQL Server 2005: procedure signing demo
MSDN Blogs
>
Laurentiu Cristofor's blog @microsoft.com
>
SQL Server 2005: procedure signing demo
SQL Server 2005: procedure signing demo
Laurentiu Cristofor [MSFT]
16 Jun 2005 12:23 AM
Comments
8
The ability to sign procedures is my favorite cryptographic feature in SQL Server 2005.
If we want to write a procedure that requires permission P, and we want Alice to be able to execute the procedure but we do not want to grant her the permission P, we can sign the procedure with a certificate and:
a) if P is a database level permission, then we can create a certificate in the database, create a user mapped to it, and grant P to that user.
b) if P is a server level permission, then we can create a certificate in the master database, create a login mapped to it, and grant P to that login.
By doing this, because of its signature, the procedure will gain P for the duration of its execution and we can just grant Alice permission to execute the procedure.
If we need to grant both server and database level permissions to a certificate, then we will have to create both a user and a login. The steps are as follows:
1) create the certificate in the database
2) create a user mapped to the certificate
3) grant db-level permissions to the user
4) backup certificate to a file
5) create the certificate in the master database from the file
6) create a login mapped to the certificate
7) grant server-level permissions to login
We can also first create the certificate in the master database and then recreate it in the user database where alice will work. The order in which we create the certificates does not matter, what matters is that the certificates are the same in both master and the user database.
And here is a demo:
-- Goals of this demo:
-- Show how a procedure can be signed by a certificate
-- and how to grant permissions to that certificate
create database demo;
use demo;
-- create a procedure that creates a new principal (login and user)
-- This requires ALTER ANY LOGIN at server level
-- and ALTER ANY USER at database level
create procedure sp_CreatePrincipal
@name varchar(256),
@password varchar(128)
as
declare @sqlcmd varchar(2000);
begin tran;
-- create login
set @sqlcmd = 'create login ' + quotename(@name) + ' with password = ' + quotename(@password, '''');
exec (@sqlcmd);
if @@error <> 0
begin
rollback tran;
print 'Cannot create login'
return;
end
-- create user
set @sqlcmd = 'create user ' + quotename(@name);
exec (@sqlcmd);
if @@error <> 0
begin
rollback tran;
print 'Cannot create user'
return;
end
commit tran;
go
-- now use this newly added procedure
-- to create a low privileged principal
sp_CreatePrincipal 'alice', 'Apufe@))%';
-- we'll now want alice to be able to use the procedure and create new principals
-- but without granting her directly the permissions
grant execute on sp_CreatePrincipal to alice;
-- verify that alice cannot create principals
execute as login = 'alice';
sp_CreatePrincipal 'bob', 'Apufe@))%';
revert;
-- create a certificate to sign the procedure
-- first, we'll need to create a database master key
create master key encryption by password = 'Apufe@))%';
create certificate certSignCreatePrincipal with subject = 'for signing procedure sp_CreatePrincipal';
-- sign procedure sp_CreatePrincipal
add signature to sp_CreatePrincipal by certificate certSignCreatePrincipal;
-- now that we signed the procedure, we can drop the private key
alter certificate certSignCreatePrincipal remove private key;
-- backup certificate to file; it will be used later to put the certificate in master
backup certificate certSignCreatePrincipal to file = 'certSignCreatePrincipal.cer';
-- create and map a user to the certificate
create user u_certSignCreatePrincipal from certificate certSignCreatePrincipal;
-- grant ALTER ANY USER to the certificate by granting it to the mapped user
grant alter any user to u_certSignCreatePrincipal;
-- create the same certificate in master now
use master;
create certificate certSignCreatePrincipal from file = 'certSignCreatePrincipal.cer';
-- create and map a login to the certificate
create login l_certSignCreatePrincipal from certificate certSignCreatePrincipal;
-- grant ALTER ANY LOGIN to the certificate by granting it to the mapped login
grant alter any login to l_certSignCreatePrincipal;
-- we're done!
use demo;
-- check that the certificate in demo matches the one in master
select c.name from sys.certificates c, master.sys.certificates mc where c.thumbprint = mc.thumbprint;
-- verify that alice can now create principals
execute as login = 'alice';
sp_CreatePrincipal 'bob', 'Apufe@))%';
revert;
-- cleanup
drop user u_certSignCreatePrincipal;
drop login l_certSignCreatePrincipal;
drop procedure sp_CreatePrincipal;
drop certificate certSignCreatePrincipal;
drop user alice;
drop login alice;
drop user bob;
drop login bob;
use master;
drop certificate certSignCreatePrincipal;
drop database demo;
-- EOD
8 Comments
SQL Server - cryptography
,
SQL Server - security
,
SQL Server
,
computer security
Blog - Comment List MSDN TechNet
Comments
Loading...
Leave a Comment
Name
Comment
Please add 3 and 1 and type the answer here:
Post