的用户有权限通过SQL Mail使用SQL Server的文件吗?SQL Mail和 SQL代理帐号一样运行在相同安全条件下。默认情况下,SQL代理运行在本地系统帐号下。如果用户能存取SQL Server数据库里的系统扩展存储过程xp_sendmail,那么就会有安全漏洞了。
通过给系统扩展存储过程xp_sendmail附加参数,用户就可以获得存取服务器上的文件的权限。通过一个方法你就可以保护xp_sendmail:把它封装倒一个存储过程中去,使附加参数非public。许可受这个存储过程的保护,把许可从xp_sendmail中取消。
下面基本的工作模板,你用它就可以保护xp_sendmail:
use master
go
-- =============================================
-- Create procedure basic template
-- =============================================
-- creating the store procedure
IF EXISTS (SELECT name
FROM sysobjects
WHERE name = N'sp_sendmail'
AND type = 'P')
DROP PROCEDURE sp_sendmail
GO
CREATE PROCEDURE sp_sendmail
in_recipients VARCHAR(8000) = '<default email address>'
,in_message VARCHAR(8000)= 'test'
,in_query VARCHAR(8000)= ''
,in_copy_recipients VARCHAR(8000)= NULL
,in_blind_copy_recipients VARCHAR(8000)= NULL
,in_subject VARCHAR(80)= 'test'
,in_type VARCHAR(80)= NULL
,in_attach_results VARCHAR(80)= NULL
,in_no_output VARCHAR(8)= NULL
,in_no_header VARCHAR(8)= NULL
,in_width INT = 10
,in_separator VARCHAR(8)= NULL
,in_echo_error VARCHAR(8000)= NULL
,in_set_user VARCHAR(256) = NULL
,in_dbuse VARCHAR(256) = NULL
AS
DECLARE attachments VARCHAR(8000)
SET in_recipients = '<default dba email address>;' + in_recipients
exec master..xp_sendmail
recipients = in_recipients
,message = in_message
,query = in_query
,attachments = ' '
,copy_recipients = in_copy_recipients
,blind_copy_recipients = in_blind_copy_recipients
,subject = in_subject
,type = in_type
,attach_results = in_attach_results
,no_output = in_no_output
,no_header = in_no_header
,width = in_width
,separator = in_separator
,echo_error = in_echo_error
,set_user = in_set_user
,dbuse = in_dbuse
GO
-- example to execute the store procedure
EXECUTE sp_sendmail
GO
-- example to grant permissions to the store procedure
GRANT EXECUTE ON sp_sendmail TO public
GO
REVOKE EXECUTE ON xp_sendmail TO public
GO
