SQL Server 2008数据库副本 - 文件权限

时间:2021-12-30 08:34:36

For SQL Server 2008 Developer Edition on Vista 64 bit:

对于Vista 64位上的SQL Server 2008 Developer Edition:

I tried copying a database using a Vista admin account using the attach/detach method and it failed due to a file permission error so I gave the user that sql services are running as write and modify to the directory. The copy didn't work. I then gave it full control. The copy worked.

我尝试使用附加/分离方法使用Vista管理员帐户复制数据库,并且由于文件权限错误而失败,因此我向用户提供了sql服务正在运行的写入和修改到目录。副本不起作用。然后我完全控制了它。副本工作。

Does that make sense?

那有意义吗?

If I revoke full control from the user, will that cause problems?

如果我撤销用户的完全控制权,会导致问题吗?

The weird thing is that in an existing working database with files in a different directory, there are no special permissions on the directory and files for the database, so why does a copy require full control?

奇怪的是,在现有的工作数据库中,文件位于不同的目录中,对数据库的目录和文件没有特殊权限,为什么副本需要完全控制?

2 个解决方案

#1


3  

When you detach a DB, the MDF/LDF files may be set with more restricted perms than you expect, like exclusive to the principal that did the detach - maybe the SQL Server service account or the domain account of the user that performed the detach. I have in the past had to manually add back permissions on the files' Properties > Security tab for other users, or else the files act as if they are locked. See also http://www.onupdatecascade.com/2009/07/sql-server-locks-mdf-and-ldf-files-upon.html

分离数据库时,可能会设置MDF / LDF文件的权限比预期的更多,例如,执行分离的主体独有 - 可能是SQL Server服务帐户或执行分离的用户的域帐户。我过去不得不为其他用户手动添加文件'属性>安全性选项卡上的权限,否则文件就像锁定一样。另见http://www.onupdatecascade.com/2009/07/sql-server-locks-mdf-and-ldf-files-upon.html

also: http://msdn.microsoft.com/en-us/library/ms189128.aspx

另外:http://msdn.microsoft.com/en-us/library/ms189128.aspx

( thanks GrumpyOldDBA )

(感谢GrumpyOldDBA)

#2


0  

If the server and/or data you are working on does not require those restrictive permissions to be set, you can set a startup flag in SQL Server that will override this function. I understand what Microsoft is going for with this - they assume if you detach a DB they don't want just anyone to walk away with the file; however, I think keeping a good hacker from doing that is easier said than done, and encrypting the DB is the best method for safeguarding data.

如果您正在处理的服务器和/或数据不需要设置这些限制性权限,则可以在SQL Server中设置将覆盖此功能的启动标志。我理解微软的目的是什么 - 他们假设你分离一个数据库,他们不希望任何人只是随便拿走文件;但是,我认为让一个好的黑客不这样做说起来容易做起来难,加密数据库是保护数据的最佳方法。

Anyway, there is a "Trace Flag 1802" which is oddly named, since it's nothing to do with tracing. You'll want to add it to your SQL startup in SQL Configuration Manager if you want to keep this behavior.

无论如何,有一个奇怪命名的“跟踪标志1802”,因为它与跟踪无关。如果要保留此行为,则需要将其添加到SQL Configuration Manager中的SQL启动中。

https://support.microsoft.com/en-us/kb/922804

https://support.microsoft.com/en-us/kb/922804

I myself had the same issue and found the answer in StackExchange: https://dba.stackexchange.com/a/77683/11001

我自己有同样的问题,并在StackExchange中找到答案:https://dba.stackexchange.com/a/77683/11001

#1


3  

When you detach a DB, the MDF/LDF files may be set with more restricted perms than you expect, like exclusive to the principal that did the detach - maybe the SQL Server service account or the domain account of the user that performed the detach. I have in the past had to manually add back permissions on the files' Properties > Security tab for other users, or else the files act as if they are locked. See also http://www.onupdatecascade.com/2009/07/sql-server-locks-mdf-and-ldf-files-upon.html

分离数据库时,可能会设置MDF / LDF文件的权限比预期的更多,例如,执行分离的主体独有 - 可能是SQL Server服务帐户或执行分离的用户的域帐户。我过去不得不为其他用户手动添加文件'属性>安全性选项卡上的权限,否则文件就像锁定一样。另见http://www.onupdatecascade.com/2009/07/sql-server-locks-mdf-and-ldf-files-upon.html

also: http://msdn.microsoft.com/en-us/library/ms189128.aspx

另外:http://msdn.microsoft.com/en-us/library/ms189128.aspx

( thanks GrumpyOldDBA )

(感谢GrumpyOldDBA)

#2


0  

If the server and/or data you are working on does not require those restrictive permissions to be set, you can set a startup flag in SQL Server that will override this function. I understand what Microsoft is going for with this - they assume if you detach a DB they don't want just anyone to walk away with the file; however, I think keeping a good hacker from doing that is easier said than done, and encrypting the DB is the best method for safeguarding data.

如果您正在处理的服务器和/或数据不需要设置这些限制性权限,则可以在SQL Server中设置将覆盖此功能的启动标志。我理解微软的目的是什么 - 他们假设你分离一个数据库,他们不希望任何人只是随便拿走文件;但是,我认为让一个好的黑客不这样做说起来容易做起来难,加密数据库是保护数据的最佳方法。

Anyway, there is a "Trace Flag 1802" which is oddly named, since it's nothing to do with tracing. You'll want to add it to your SQL startup in SQL Configuration Manager if you want to keep this behavior.

无论如何,有一个奇怪命名的“跟踪标志1802”,因为它与跟踪无关。如果要保留此行为,则需要将其添加到SQL Configuration Manager中的SQL启动中。

https://support.microsoft.com/en-us/kb/922804

https://support.microsoft.com/en-us/kb/922804

I myself had the same issue and found the answer in StackExchange: https://dba.stackexchange.com/a/77683/11001

我自己有同样的问题,并在StackExchange中找到答案:https://dba.stackexchange.com/a/77683/11001