FIX: A Non-Sysadmin May Execute sp_procoption Stored Procedure (277809)


The information in this article applies to:

  • Microsoft SQL Server 7.0
This article was previously published under Q277809
BUG #: 57213 (SQLBUG_70)

SYMPTOMS

Microsoft SQL Server Books Online states the following concerning the execution of the sp_procoption stored procedure:

Execute permissions default to members of the sysadmin and setupadmin fixed server roles. Startup procedures must be owned by the database owner in the master database.

This is not the intended behavior. Only logins that are a member of the System Administrators fixed server role should have execute permission on sp_procoption.

STATUS

Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 3 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

274799 INF: How to Obtain Service Pack 3 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0

For more information, contact your primary support provider.

MORE INFORMATION

To reproduce the problem use these steps:
  1. Open the SQL Server Query Analyzer.
  2. Create the stored procedure in the master database:
    use master
go
create procedure test_proc as
PRINT "Executed test_proc"
go
  3. Add a SQL Server login. The default database for the login is master.
    sp_addlogin @loginame = 'testuser',
    @defdb = 'master'
go
  4. Make the login a member of the Setup Administrators fixed server role.
    sp_addsrvrolemember @loginame = 'testuser', @rolename = 'setupadmin'
go
  5. Give the login access to the master database.
    sp_adduser @loginame = 'testuser'
go
  6. Make the new user a member of the db_owner database role.
    sp_addrolemember @rolename = 'db_owner',
@membername = 'testuser'
go
  7. Open a second connection in the SQL Server Query Analyzer and log in as testuser.
  8. Make the stored procedure created in step 2 a startup stored procedure:
    sp_procoption @ProcName = 'test_proc',
@OptionName = 'startup',
@OptionValue = 'true'
go
  9. When you execute sp_procoption this error message is returned in the SQL Server Query Analyzer:
    Server: Msg 5812, Level 14, State 1, Procedure sp_procoption, Line 254 Permission denied. Only members of the sysadmin role can run RECONFIGURE. All 1 matched objects now have their 'startup' setting as 'true'. Updates were required for 1 objects.
  10. Restart SQL Server, and then view the current SQL Server error logs. The following text is displayed, which verifies that the procedure was executed upon startup:
    Launched startup procedure 'test_proc'
    [autoexec] "Executed test_proc"
Modification Type:MajorLast Reviewed:3/14/2006
Keywords:kbBug kbfix KB277809
©2004 Microsoft Corporation. All rights reserved.