BUG: Ownership Chains Not Verified for Stored Procs Across DBs
  
PSS ID Number: Q150890
Article last modified on 05-13-1996
 
6.00 6.50
 
WINDOWS
 

----------------------------------------------------------------------
The information in this article applies to:
 
 - Microsoft SQL Server, versions 6.0 & 6.5
----------------------------------------------------------------------
 
BUG#: 15075 (6.00)
 
SYMPTOMS
========
 
If a stored procedure owned by the dbo queries a table or view from another
database which is owned by that database's dbo, the ownership chain is not
checked, and access is granted.
 
WORKAROUND
==========
 
The following steps cause ownership chains to be checked across databases:
 
1. Create a view in the same database as the stored procedure.
2. Have the view (from step 1) query from the table or view in the other
   database.
3. Change the stored procedure to query the view from step 1.
 
STATUS
======
 
Microsoft has confirmed this to be a problem in Microsoft SQL Server
versions 6.0 and 6.5. We are researching this problem and will post new
information here in the Microsoft Knowledge Base as it becomes available.
 
MORE INFORMATION
================
 
The SQL Server "Administrator's Companion," chapter 8, page 228, documents
that ownership chains should be checked when the view or stored procedure
accesses an object with a different owner or the object exists in another
database.
 
Additional reference words: 6.0 6.50 permission ownership chain
KBCategory: kbprg kbbug6.00 kbbug6.50
KBSubcategory: ssrvprog ssrvstproc
 
=============================================================================
Copyright Microsoft Corporation 1996.
