We help IT Professionals succeed at work.

safe to use sybase command

marrowyung
marrowyung asked
on
159 Views
Last Modified: 2020-04-29
hi,

for the following Sybase command, is it safe to use ?

(.*)grant role sa_role(.*)
(.*)grant role sso_role(.*)
(.*)sp_role(.*)grant(.*)sa_role(.*)
(.*)sp_role(.*)grant(.*)sso_role(.*)

(.*)sp_addexternlogin(.*)
(.*)sp_addremotelogin(.*)

(.*)sp_addalias(.*)
(.*)sp_addserver(.*)
Comment
Watch Question

Joe WoodhousePrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2012

Commented:
Sale for whom? :)

More context please.

Are you asking... will running these command compromise the security of your ASE? The answer is yes, to more or less extent depending on the command, except for sp_addserver as that does not provide any credentials or privileges.

sa_role and sso_role are between them every DBA permission. You should be as cautious with them as you would with handing out the "root" password, because anyone with both of these roles can do anything in your ASE. From a security perspective sso_role is the greater risk because this can create logins, grant permissions, and affect the auditing system.

sp_addexternlogin and sp_addremotelogin are much the same... creating a new login is only as dangerous as the permissions you grant to that login. Part of the danger here though is that multiple logins from other ASEs could be treated as a single login in this ASE... meaning you lose the ability to know who did something. But that's also true if you use any other shared login.

sp_addalias is only as dangerous as the user you create the alias to. Aliasing a login to "dbo" means that login now has every permission in this database. There are few genuine reasons to need to do this in any PROD server... and I recommend you keep security the same in UAT as in PROD else you will have surprises in PROD.

The only difference between sp_role and "grant role" is the former only takes effect with their next login and the latter takes effect now.
marrowyungSenior Technical architecture (Data)

Author

Commented:
Sale for whom? :)

safe to execute for normal user without bring down the system.
Joe WoodhousePrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2012

Commented:
A normal user can't run any of these commands, they all need sa_role and/or sso_role to run.

A normal user has no business running any of these commands ever.

A DBA should only run any of these commands if they know what they mean, why they are needed, what will happen if they aren't run, and what will happen if they are.

I suspect the answer you need is:

"No these commands are not safe to run."
marrowyungSenior Technical architecture (Data)

Author

Commented:
ok

A normal user can't run any of these commands, they all need sa_role and/or sso_role to run.

I like this one, sa_role and sso_role ! what is sso_role however, how different it is from sa_role ?
Principal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2012
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions