Sql-server – How to ensure security with SQL Server Restore

linuxrestoreSecuritysql serversql-server-2017

I'm building a shared hosting SQL Server tool for linux, where users only receive access to their own database, with a SQL Login and SQL Database User that has db_datareader, db_datawriter and db_ddladmin rights to make sure they can not run any destructive actions on the database server (or choose settings we don't want them to).

We want to enable them to restore backups through a script. Obviously we'll run this restore with a sysadmin account to facilitate this for them (as a means of privilege escalation). Now on the Microsoft documentation site here the following notes are made (quoted verbatim)

We recommend that you do not attach or restore databases from unknown or untrusted sources. These databases could contain malicious code that might execute unintended Transact-SQL code or cause errors by modifying the schema or the physical database structure. Before you use a database from an unknown or untrusted source, run DBCC CHECKDB on the database on a nonproduction server and also examine the code, such as stored procedures or other user-defined code, in the database.

Herein lies my problem. How can I make sure that I do not risk my database server security when allowing end-users (unknown an untrusted sources) to restore arbitrary backup files? Since this process would be automated, there's no time for 'user intervention', but instead perhaps I need to (re)set some safe defaults and/or settings. Does anyone has guidance on what would be my best approach?

Best Answer

I think your best approach would be to supply each user with his or her personal database engine process. With Linux, consider using Docker or some other container framework which further enhances your security by sandboxing the SQL server process.

One of the problems that may arise from your approach, clifton_h already mentioned some other things to watch for in his comment: Any user that is member of the "public" Server Role will be able to see at least the names of all databases on the instance when connecting with SQL Server Management Studio - but if you set the securable "View any database" to "Deny", the user won't even be able to browse databases he is allowed to connect to using the Object Explorer (USE [databasename], however, remains possible). This will sure cause some headscratching among your users and desparate calls on your help line :)

At the very minimum do not allow using contained databases (see https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-2017), the already mentioned "View any database" permission and the items that are part of the Surface Area Configuration Policy (https://docs.microsoft.com/en-us/sql/relational-databases/security/surface-area-configuration?view=sql-server-2017):

Related Solutions

Sql-server – How to restore a SQL Server database along with a standalone application

Good deal with getting the connection string out. Based on that and the error it looks like you'll need to change some things around with your SQL config.

First, SQL 2012 does not support the database compatibility level for SQL Server 7. You'll need to go back down to at least SQL Server 2005.

Based on that connection string info the app is for a SQL server named SCFRANGOS. You can try to create a host entry for SCFRANGOS on the machine you're running the app from and give it the IP of your SQL server, or create it in DNS.

The database name you need to use FVBraganca. Since you have both the mdf (data) and ldf (log) you can try to reattach the database to your SQL Server.

You also need to create a local user on the server and name it usuario. Then you need to create a Windows login on the SQL server for usario and that login needs to be added to the FVBraganca dabase as a user.

Alternatively, if you're comfortable with editing the binary you could edit your own connection information into the exe.

Steps:

Install SQL Server 2005 or earlier on your server. You can download SQL Server 2005 Express from here. Again, SQL 2005 is the newest version you can use that will support the SQL 7 database format.
Make sure the server where SQL Server is installed can be resolved as SCFRANGOS on your network from wherever you are running the application. You can add a host entry or an alias in DNS. Or you can add an entry in the hosts file where you will run the application (c:\windows\system32\drives\etc\hosts typically). When this step is complete you should be able to receive replies when doing a ping SCFRANGOS from the machine where you want to run the application.
Attach the database and name it FVBraganca. Connect to SQL Server and run this (assuming your mdf and ldf files are in c:\myapp and are called myapp.mdf and myapp_log.ldf):

CREATE DATABASE FVBraganca
ON (FILENAME='c:\myapp\myapp.mdf'),
(FILENAME='c:\myapp\myapp_log.ldf'),
FOR ATTACH; GO
Create a user called usario on the server where SQL Server is installed. Instructions are found here.
Create a login in SQL Server for the user created above

CREATE LOGIN [myserver\usario] FROM WINDOWS
GO
Add the new login as a user of the database. If the user already exists you'll need to remove it first so you don't have a mismatch of the security identifiers. The existing user will have the security identifier tied to it from the original SQL Server where the database was last used.

USE FVBraganca
GO
DROP USER usario
GO
CREATE USER usario FOR LOGIN usario
GO
Since you don't know what the user needs access to yet you might just want to grant it dbo access to the database. This is typically not a good idea but in this case it'll be easier until you know for sure what objects in the database the application uses.

sp_addrolemember @rolename='db_owner', @membername='usario'

That should be it. As long as the database attaches cleanly I think this should get you going.

Sql-server – SQL Server DB restore fails

Msg 5064, Level 16, State 1, Line 1 Changes to the state or options of database 'xyz' cannot be made at this time. The database is in single-user mode, and a user is currently connected to it.

This error does not occur if YOU are the single-user in the database. It only occurs if someone else is in it AND it is ALREADY in single-user mode.

For example, try this:

create database test
--
use test
--
ALTER DATABASE test SET SINGLE_USER WITH ROLLBACK IMMEDIATE
--
ALTER DATABASE test SET SINGLE_USER WITH ROLLBACK IMMEDIATE

Note: there are 4 separate batches, and the 4th one doesn't error. You're setting the mode while IN the database, and also setting it a 2nd time. No error.

Assuming you have been given the mandate to restore the DB regardless of what is happening, do an sp_who2 to look for the user who is connected, and KILL the spid. You can then proceed with the RESTORE.

Best Answer

Related Solutions

Sql-server – How to restore a SQL Server database along with a standalone application

Sql-server – SQL Server DB restore fails

Related Question