Security issues on user defined functions for Sql server 2012
Question
I am creating user defined functions in C#, as explained on the link: https://msdn.microsoft.com/en-us/library/w2kae45k%28v=vs.90%29.aspx
(I use C# CLR project, I have VS 2010, SQL server 2012. The code in VS 2010 is in framework 3.5. The sql server is in framework 4.0)
I didn't succeed deploying, even I chose the correct server+database, so I copied the dll manually like this:
- Created new sql project as the link (I chose Visual C# CLR database object, choose server+database)
Add user defined function:
using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server;
public partial class UserDefinedFunctions { [Microsoft.SqlServer.Server.SqlFunction()] public static int testfunc() { // Put your code here return 1234; } };
Put the dll in the assembly of sql server (in sql ssms: databases->"database name" -> Programmability -> Assembly -> New assembly -> ... choose the dll with permission set "safe").
Add a new function like this: create function testfunc() RETURNS int as EXTERNAL NAME SqlServerProject1.UserDefinedFunctions.testfunc
(SqlServerProject1 is the namespace and dll name, UserDefinedFunctions is the class name, testfunc is the function name in C# and in sql server)
Everything work fine when doing select dbo.funcname(), but now I have problem (see exception bellow), when changing code in C# (testfunc) to this one:
[Microsoft.SqlServer.Server.SqlFunction()] public static int testfunc() { WebClient webC = new WebClient(); WebRequest req = HttpWebRequest.Create(" http://axdev:8090 "); return 12345; }
- The exception occurs when running select dbo.testfunc(), and I get:
Msg 6522, Level 16, State 2, Line 1 A .NET Framework error occurred during execution of user-defined routine or aggregate "testfunc": System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. System.Security.SecurityException: at System.Security.CodeAccessSecurityEngine.CheckNReturnSO(PermissionToken permToken, CodeAccessPermission demand, StackCrawlMark& stackMark, Int32 create) at System.Security.CodeAccessSecurityEngine.Assert(CodeAccessPermission cap, StackCrawlMark& stackMark) at System.Security.CodeAccessPermission.Assert() at UserDefinedFunctions.testfunc()
- I cannot create an assembly with permission set = "unrestricted" (Same as step 3, but with "unrestricted", since I get the error:
> TITLE: Microsoft SQL Server Management Studio
Create failed for SqlAssembly 'SqlServerProject1'. (Microsoft.SqlServer.Smo)
ADDITIONAL INFORMATION:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
CREATE ASSEMBLY for assembly 'SqlServerProject1' failed because assembly 'SqlServerProject1' is not authorized for PERMISSION_SET = UNSAFE. The assembly is authorized when either of the following is true: the database owner (DBO) has UNSAFE ASSEMBLY permission and the database has the TRUSTWORTHY database property on; or the assembly is signed with a certificate or an asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission. (Microsoft SQL Server, Error: 10327)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&ProdVer=11.00.3128&EvtSrc=MSSQLServer&EvtID=10327&LinkId=20476
BUTTONS:
OK
- How can I resolve the above problem to run the new testfunc code properly?
========
A new problem - after running alter database 'mydb' set trustworthy on, I get a new error, when adding again the assembly with "permission set" = unrestricted.
TITLE: Microsoft SQL Server Management Studio
Create failed for SqlAssembly 'SqlServerProject1'. (Microsoft.SqlServer.Smo)
------------------------------ ADDITIONAL INFORMATION:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
The database owner SID recorded in the master database differs from the database owner SID recorded in database 'mydb'. You should correct this situation by resetting the owner of database 'mydb' using the ALTER AUTHORIZATION statement. (Microsoft SQL Server, Error: 33009)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&ProdVer=11.00.3128&EvtSrc=MSSQLServer&EvtID=33009&LinkId=20476
Thanks :)
1 answers
solution1
1 ACCPTED 2015-02-17 12:35:05
Its a bad practice to change the permission to unrestricted access. Better you create a new login access with unrestricted permission and use it for clr calls. You must be using some threading or socket programming within the clr assembly. It does require unrestricted access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.