Ali cloud account management RDS for SQL Server has a number of small Bug, and there is a very serious Bug: any ordinary account, can create a database . Note that I say here is any common account, any arbitrary ordinary account! Any Any ordinary account! The important thing to say three times.
For example, as shown in the following test environment, database version RDS for SQL Server to Server 2016 SQL the WEB, we control platform of " account management " interface, create a database account test2, as shown below, granted only " read-only " access.
、
We use a script get_login_rights_script.sql get test2 database account specific permissions as follows:
Test2 account login using a database, you can execute the following script to create a database, as shown below. Based on individual tests, this account can be any ordinary account. Even if you cancel server role setupamin and processadmin, you can still create a database.
CREATE DATABASE [MyDB]
CONTAINMENT = NONE
ON PRIMARY
( NAME = N'MyDB', FILENAME = N'E:\SQLDATA\DATA\MyDB.mdf' , SIZE = 5120KB , FILEGROWTH = 10%)
LOG ON
( NAME = N'MyDB_log', FILENAME = N'E:\SQLDATA\DATA\MyDB_log.ldf' , SIZE = 1024KB , FILEGROWTH = 10%)
GO
如果可以创建数据库,当然也可以删除数据库,当然,只能删除它自己创建的数据库,不能删除其它数据库。
DROP DATABASE MyDB;
删除不是这个账号创建的数据库时就会报错。如下所示:
DROP DATABASE test4;
Msg 3701, Level 11, State 2, Line 15
Cannot drop the database 'test4', because it does not exist or you do not have permission.
Whether or not it amazing? Traditional database requires a server roles dbcreator (of course, sysadmin role certainly can) or grant CREATE ANY DATABASE, CREATE DATABASE, ALTER ANY DATABASE permission can create one database. But ordinary account RDS for SQL Server does not grant these rights, but still can create a database. Really I do not understand why it has such a Bug. Highly privileged account RDS for SQL Server has permission restrictions, so many things can not be more in-depth to explore. Currently, we have submitted, reported the problem, yet no official reply!