Vulnerability in EPiServer.Forms
IT for a project I'm on is wondering if they could get more specific with the database privileges for the Epi db user than the typical "dbowner" privileges. Off the top of my head, I don't see this working too well, but I wanted to see if anyone else out there has run into a similar request, or has accomplished this in some way?
So far, I've only found this resource essentially saying not to do it, and wanted to see if there have perhaps been any updates since: https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2016/4/database-permissions-required-for-application-pool-user/
what about at least `data_writer` role? it's less privileged as dbowner.
Really sorry for the very delayed reply on my end.
'data_writer' could work. I just haven't seen any Epi documentation noting that that's a valid option (and if I did, I'd wonder why it's not recommended over dbowner in the first place?). So I suppose I'm wondering -- have you tried running Epi with 'data_writer' privileges before, successfully? It sounds like I'll have to test it out & report back if I see any issues. :)
" if I see any issues" - you might try hard to cover all functionalaity for epi to spot problematic areas :) "db_owner" is the most easiest answer.
I agree, as I wrote that last comment I visualized the hordes and hordes of sudden permission issue-related bugs cropping up across all kinds of obvious and not-so-obvious areas of Epi functionality. It was terrifying, haha.
Thanks for your input! One piece of advice I did get from a colleague is to consider using pass-through IIS App Pool user authentication for the dbowner privileges, rather than just storing them in the web.config. I'll see if that might be a happy medium.