I came across this weird issue this morning and I was wondering if anyone came across this issue before and if this is a security bug that I experienced. First of all the version of server I am running is Adaptive Server Enterprise/15.7/EBF 23473 Cluster Edition SP131 /P/x86_64/Enterprise Linux/ase157sp131x/3896/64-bit/FBO/Mon Nov 3 19:45:05 2014
I create the table using system admin account
1> use TestDB
2> go
1> create table Test ( X int not null)
2> go
Log into the database with ordinary user to the database with no permission to the selected table except just a user in that database
1> select * from Test
2> go
Msg 10330, Level 14, State 1:
Server 'QACluster', Line 1:
SELECT permission denied on object Test , database TestDB, owner dbo
1> sp_rename "Test.X", Y
2> go
Column name has been changed.
Warning: Changing an object or column name could break existing stored
procedures, cached statements or other compiled objects.
(return status = 0)
So a user who does not have select permission or only select permission on a table is allowed to change the column name on a table. I tried renaming the table but this was not allowed
1> sp_rename Test , Test_bk
2> go
Msg 17786, Level 16, State 1:
Server 'QACluster', Procedure 'sp_rename', Line 872:
Object name cannot be changed either because it does not exist in this database,
or you don't own it, or it is a system name.
Has anyone experience this issue before. This seems to be a serious security hole
Regards