SQL Server cross DB ownership chaining enabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQL Server cross DB ownership chaining enabled

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

Id: b2d5f3c9-1e68-47a1-89b4-92f3a6d7e123

Cloud Provider: GCP

Platform: Terraform

Severity: High

Category: Insecure Configurations

Learn More

Provider Reference

Description

Cross-database ownership chaining allows users to access objects across databases without requiring separate permissions for each database, creating a potential privilege escalation vulnerability. When enabled, an attacker with access to one database might exploit ownership chains to gain unauthorized access to data in other linked databases, bypassing normal permission boundaries. To secure your SQL Server instance, configure the cross db ownership chaining database flag to off as shown in the following example:

settings {
  database_flags {
    name  = "cross db ownership chaining"
    value = "off"
  }
}

Compliant Code Examples

resource "google_sql_database_instance" "good_example" {
  name             = "good-instance"
  database_version = "SQLSERVER_2019_STANDARD"
  region           = "us-central1"

  settings {
    tier = "db-custom-2-13312"
    database_flags {
      name  = "cross db ownership chaining"
      value = "off" # ✅ Compliant
    }
  }
}

Non-Compliant Code Examples

resource "google_sql_database_instance" "bad_example" {
  name             = "bad-instance"
  database_version = "SQLSERVER_2019_STANDARD"
  region           = "us-central1"

  settings {
    tier = "db-custom-2-13312"
    database_flags {
      name  = "cross db ownership chaining"
      value = "on"
    }
  }
}