DENY EXECUTE ON SUSER_NAME or SUSER_SNAME  to  PUBLIC?

Hi All,

I'm trying to lock down my SQL Server a bit.  Is it possible to prevent logins that only have the public server role from executing the SUSER_NAME and SUSER_SNAME functions? 

Thanks for the help!

January 17th, 2015 2:20am

No, and you would not want that, since they may be used in auditing functions.

...however, when testing I found that these functions permits an unprivileged users to see information he should not be able to see. For instance, suser_name(301) will return the name of the user with that id, if there is one. This is bad, and I have reported this in this Connect item:
https://connect.microsoft.com/SQLServer/feedback/details/1090900

The Connect item includes a whole number of metadata functions. Missing from the list is db_id() and db_name(). I reported a the same issue with db_name() a year or two ago, and this issue has been fixed in the next release in SQL Server. That's why I did not include this function in this item.

Here is my repro. The final SELECT performed by tage should return all NULL. (Or possibly 0 for the is_member functions.)

CREATE LOGIN tage WITH PASSWORD = 'erlander'
CREATE LOGIN bertil WITH PASSWORD = 'ohlin'
CREATE USER aina WITHOUT LOGIN
ALTER ROLE db_datareader ADD MEMBER aina
ALTER SERVER ROLE sysadmin ADD MEMBER bertil

CREATE TABLE gunnar (hedlund int NOT NULL)

DECLARE @aina_id int = (SELECT principal_id FROM sys.database_principals WHERE name = 'aina')
DECLARE @bertil_id  int,
        @bertil_sid varbinary(200),
        @gunnar_id  int

SELECT @bertil_id = principal_id, @bertil_sid = sid
FROM   sys.server_principals
WHERE  name = 'bertil'

SELECT @gunnar_id = object_id FROM sys.objects WHERE name = 'gunnar'

EXECUTE AS LOGIN = 'tage'

SELECT * FROM sys.server_principals WHERE name = 'bertil'
SELECT * FROM sys.database_principals WHERE name = 'aina'
SELECT suser_name(@bertil_id),
       suser_sname(@bertil_sid),
       suser_sid('bertil'),
       user_id('aina'),
       user_name(@aina_id),
       database_principal_id('aina'),
       is_rolemember('db_datareader', 'aina'),
       is_srvrolemember('sysadmin', 'bertil'),
       object_name(@gunnar_id)

REVERT
go
DROP LOGIN tage
DROP LOGIN bertil
DROP USER aina
DROP TABLE gunnar

Free Windows Admin Tool Kit Click here and download it now
January 17th, 2015 1:33pm
I had the same experience - I'll make sure to upgrade and make the same recommendation to others once I confirm the fix. Thanks for the reply!
February 17th, 2015 12:12am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics