Google Cloud SQL
      Back to home
      1. Knowledge Base
      2. GCP Knowledge Base
      3. Google Cloud SQL

      SQL Cross DB Ownership Chaining Enabled

      Ensure that the “cross db ownership chaining” flag is disabled for all SQL server instances. 

      Risk Level: Medium

      Description

      This plugin ensures that the “cross db ownership chaining” flag is disabled for all SQL server instances. When set to on, this flag enables cross-database ownership chaining for all databases. This flag should only be enabled if all of the databases hosted by the SQL instance are part of the cross-database ownership chaining. 

      About the Service

      Google Cloud SQL:

      Google Cloud SQL is a relational database for MySQL, PostgreSQL, and SQL Server that is fully managed. It automates database provisioning, storage capacity management, replication, and backups while lowering maintenance costs. It can be set up easily using the built-in migration tools and lets you scale your instances effortlessly. To know more about Cloud SQL, read here

      Impact

      If this flag is not set to off, all database users will also be able to access databases apart from the one they are presently using. To ensure maximal security, cross db ownership chaining should not be turned on unless absolutely necessary.  This will prevent permissions from being misused, effectively lowering the danger of attacks or data leaks.

      Steps to Reproduce

      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
      4. Set Type to SQL Server in the Filter box to only see SQL Server database instances.
      5. Select the ID of the SQL instance you want to investigate from the list of instances available and click on the OVERVIEW tab to check the configuration settings of the selected instance.
      6. In the Database flags section under Configuration, check the configuration of cross db ownership chaining. If it is set to on, then the Cross DB Ownership Chaining flag is enabled for the selected SQL instance.
      7. Repeat steps 5 and 6 for all the SQL instances you want to investigate in the selected project.
      8. If you have multiple projects, repeat steps 2 to 7 for each project in your GCP Console. 

      Steps for Remediation

      Determine whether or not you truly require cross DB ownership chaining to be enabled for your SQL instances. If not, make the necessary changes to disable it using the steps below.


      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
      4. Set Type to SQL Server in the Filter box to only see SQL Server database instances.
      5. Select the ID of the SQL instance you want to reconfigure in the list of instances available. (In case you aren’t sure which SQL instance needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
      6. Go to the OVERVIEW tab and click on the Edit button found on the top navigation bar.

      7. Under the Flags and parameters section, set the status of cross db ownership chaining to off and click the SAVE button to save all the changes.
        Note: If you do not find the cross db ownership chaining flag, click on the Add flag button, choose cross db ownership chaining from the dropdown list provided and set the status to off, and click on DONE.
      8. Repeat steps 5 to 7 for all the SQL instances you want to reconfigure in the selected project.
      9. If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.