If an app has storage permissions or not is totally irrelevant if it can be exploited or not (unless you download a malicious file your self). Attacks on web browsers usually use an exploit chain, a combination of multiple exploits: The first exploit allows you to execute code with permissions of the web browser on Android. Next one exploits a vulnerability of your OS to get full permissions (privilege escalation: leave the restricted app sandbox). If necessary the last exploit then can give you root permissions, giving the attacker full access to everything (if step 2 has not already leveraged permissions to root). For step 1 it is important to use a web browsers that is properly maintained, and updated regularly. But zer0-day exploits are discovered quite a few, e.g. for Chromium based browsers you have usually one zero-day vulnerability per month, often more. Step 2 and 3 require an updated Android OS. As your phone is missing nearly two years of security updates there might be vulnerabilities for exiting the sand box and/or getting root. In a general sense if there is a flaw in the browser runtime such as the javascript engine, or rendering engine and adversary could conceivably cause your browser to execute an https://en.wikipedia.org/wiki/Arbitrary_code_execution as long as the OS allows it.

I asked the creator of the https://github.com/schwabe/ics-openvpn/discussions/1436 app. That app ignores the OpenVPN --user and --group options and it runs as an unpriviledged user which can be confirmed by installing Android Debug Bridge (ADB) on a computer to which the phone is attached via USB cable. Then run commands such as these: # adb shell sunfish:/ $ top | grep openvpn 20901 shell 20 0 10G 2.8M 2.1M S 0.0 0.0 0:00.00 grep openvpn 20901 shell 20 0 10G 2.8M 2.1M S 0.0 0.0 0:00.00 grep openvpn 19186 u0_a253 20 0 14G 96M 49M S 0.6 1.7 0:02.23 de.blinkt.openvpn:openvpn 19186 u0_a253 20 0 14G 96M 49M S 0.3 1.7 0:02.25 de.blinkt.openvpn:openvpn 19186 u0_a253 20 0 14G 96M 49M S 0.6 1.7 0:02.26 de.blinkt.openvpn:openvpn So in my case the client connecting to the OpenVPN server has user id: u0_a253 and not root. Regarding my original question.... my understanding is that u0_a252 is the UID of the Terminal process. Cheers, Flex

Since you haven't mentioned your OEM, android skin, etc, I'm going to answer this from my device's perspective, i.e., a realme device (steps below would also work with any realme/oppo/oneplus device) Go to app info on each of those apps > permissions > toggle "remove permissions if not used" to OFF.

So, I don't know much about android or coding for it. But I had a similar problem with an app. It was an app that comes up automatically under certain use cases. I'm pretty sure it was a texting app. Well months would go by where I did not click on the app to open it. Only on notifications that popped up, and this would happen to me too. Unless I either closed the app in recently used applications and opened it, or went and pressed on the icon. I know when in the car Android auto can auto connect and give you a notification. Maybe that is why, I don't know I'm just spit balling, but, when I started to open the app at least once a month manually it stopped happening. This was a Galaxy S8 too, I have a pixel 4xl now. But that stopped it for me. Almost seemed like the OS forgot the app was running in the background. It's not an educated guess cause like I said I don't know a lot about Android, or various flavors of it, but maybe it's a similar issue?

Yes, all data stored in Contacts Provider is visible to all apps with READ_CONTACTS permission and if the user has given the permission. From the official documentation of https://developer.android.com/training/contacts-provider/retrieve-names#Permissions , Request permission to read the provider To do any type of search of the Contacts Provider, your app must have https://developer.android.com/reference/android/Manifest.permission#READ_CONTACTS permission. [...] This is why contacts apps can generally show multiple account types for the same person (e.g. Google, WhatsApp, Microsoft), and also why social messaging apps (e.g. WhatsApp) and social media apps (e.g. Facebook, Twitter, Instagram) can detect registered accounts based on phone numbers and/or emails stored in the Contacts Provider.

The permission list shown to the user on installation time bases on the data in AndroidManifest.xml. Apps like https://play.google.com/store/apps/details?id=com.ubqsoft.sec01 can display what apps request what permission. Permissions in AndroidManifest.xml have to be added by the developer. But Android development systems also all libraries to define permissions and if the app includes the library the permissions are automatically added to AndroidManifest.xml when the developer builds the app. But from user perspective it is irrelevant how the permissions are added to AndroidManifest.xml as Android enforces the permissions. This means if the developer forgot to add a permission to AndroidManifest.xml the app will fail to use methods that require this permission.

When you open a file through a file manager, the receiving application is automatically granted access to that resource. Though the access is somehow limited (short lived) and may not work past app or device restart. As an author of Just (Video) Player, I focus on simple working design where you don't need read permission except for some edge case (supporting some outdated apps). You may check this comprehensible table for various types of access to files: https://developer.android.com/training/data-storage

"All Permissions" just give an insight into what all permissions the app can have once allowed, i.e. it just shows that chrome has the ability to "record audio using the microphone at any time".

I backed up all of my data and reset the phone to factory defaults. Important reminder: Before resetting the phone, I removed my MicroSD because the dialog said that it would delete everything on the MicroSD if I did not do this. Sussing out the source of the problem: After reformatting my phone, I slowly installed each app that I thought might be the culprit. Then, I slowly did each system app update. I found there were a few apps that could cause the problem. These are the apps that I suspect have the ability to permanently block connection to VPN in order of confidence with first being most certain: Mi Credit, Screenshot (by Mi), Updater (by Mi), and Security (by Mi). There may be other system apps that create this problem. Update: Themes (MI) also creates this problem, consistently. The VPN connects and says that it is connected, but download rates drop to 0kbps. If I remove myself from the MI Themes privacy policy and wait a few minuets, the VPN starts working again. If I re-accept the privacy policy, the VPN stops working, again. This is reproduceable. Methodology: After reformatting, I spent a few hours connected to my VPN and browsing before installing any of these apps. After installing them one-by-one, I encountered issues. Removing updates did not undo the problem of the VPNs being blocked: I had to factory reset the phone, again. I installed these other apps, one after each reset, to test each one of them. I installed "updater" and "security" at the same time so it might be only one of these two, but I suspect that all of the system apps on the new MIUI system app update set are tainted. Finally, I reset the device, ignored all updates, turned off auto-update in three locations--Developer Options, System Apps Update settings, and System Apps Updater settings--, and began to use my phone again. Everything has been working fine for 24 hours. If it fails hereafter, I will update my answer and include it as part of the question; so, if my answer is here, the theory stands. How is this happening? If anyone knows why these apps are causing this problem or can guide me through figuring it out, please mention me in a comment. Thank you!

You could try creating a SQL Agent job that runs once an hour and checks if the permission is present. If not, add the permission back. With it being a dev region, I wouldn't be super worried about this approach. Something like... IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE [name] = '') CREATE USER [] FROM LOGIN ALTER ROLE db_datareader ADD MEMBER <dev_user>

I'm going to answer this question a different way. When we're talking about database servers, the data within said databases is typically far more valuable than anything sitting on the file system. Database servers can be brought back online, databases can be restored from backups, etc... Not to diminish the fact that a user with OS access can wreck havoc and take a database offline. I'd be far more concerned what a malicious user would do to a database with write permission. They can manipulate data, delete data, insert bad data, etc. If a user is truly wanting to be malicious, this is all the access the would need to be destructive. Depending how aggressive they are, data changes could go undetected for weeks or months, making the chance of recovery challenging. So in this case, what are you trying to protect against? Preventing a trusted database users from making accidentally changes at the OS level? Making sure the scope of a malicious user is limited?

I think what you're looking for is https://www.mssqltips.com/sqlservertip/1782/understanding-cross-database-ownership-chaining-in-sql-server/ : Cross database ownership chaining is an extension of ownership chaining, except it does cross the database boundary. Please see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15 for more information. It is possible to turn it on only for individual databases which may make more sense for your use case: You can set cross-database ownership chaining for individual databases using the SET clause of the ALTER DATABASE statement. If you are creating a new database, you can set the cross-database ownership chaining option for the new database using the CREATE DATABASE statement. Alternatively, another solution could be to use the https://docs.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver15 statement to impersonate a Login who has access to the table in the Final database. You would put it inside the procedure that the Staging User has access to execute, and then only that procedure would have access to modify the table in the Final database. With this solution the Staging User would need access to be able to impersonate the Login being used though. This is better than directly granting Final access to the Staging User because you are controlling your database through stored procedures, and ideally the Login it will be impersonating only has limited access (just the single table you need to update?) in the Final database.

There are a few different ways that a user gets permissions in SQL Server. In addition to role membership (like the sysadmin fixed server role), you can also do explicit GRANTs for individual permissions. Since you're using a Windows Service account, permissions can also be granted to domain groups, and those permissions inherited, in addition to anything granted directly to the login. The login might be part of a domain group. On the Active Directory/Domain side of things, your service account might be included in an AD group, then that AD group granted sysadmin in your SQL Server instance. Then, even though the login isn't directly granted sysadmin, it would still inherit membership from the group. You can check which groups are granting which membership from the SQL Server side of things via the xp_logininfo system stored procedure: EXEC xp_logininfo @acctname = 'MyDomain\amtwo', @option = 'ALL'; The output will look something like this. Notice the first line, which shows my amtwo login gets admin privileges via the "permission path" (read: group membership) in the SQLSERVER_SYSADMIN domain group. account name type privilege mapped login name permission path ---------------- -------- --------- ------------------- ---------------------------- MyDomain\amtwo user admin MyDomain\amtwo MyDomain\SQLSERVER_SYSADMIN MyDomain\amtwo user user MyDomain\amtwo MyDomain\SomeOtherGroup In this case, if I want to remove sysadmin permissions from the amtwo login, I would need to remove it from the SQLSERVER_SYSADMIN group on the active directory side. (ie, there's nothing I can do about it via the SQL Server configuration & permissions.) You might just have CONTROL SERVER There is a permission called CONTROL SERVER which is almost the same as sysadmin, but with some differences. CONTROL SERVER will obey having a DENY enforced for more granular permissions (sysadmin overrides everything, including DENY permissions). Additionally, every once in a while you might run into an older command or function that only works with sysadmin--but that is increasingly rare. It might be that whoever set up your service account granted both sysadmin membership, and the CONTROL SERVER permission. The best way to check this is with a script to query all the permissions. This query is from https://github.com/amtwo/dba-database/blob/production/views/dbo.ServerLoginPermissions.sql in https://am2.co/dbadb , but including the query in full here, as well. As written, this will give all server-level permissions for all users. You can simply add a line to the where clause to filter further. Because this is a Windows login, you should check permissions granted both directly to the login, and any groups that it is a member of (this will be the list of groups returned in the "permissions path" column from using xp_logininfo. -- From http://am2.co/dbadb - Licensed under BSD 2-clause SELECT LoginSid = p.sid, LoginName = p.name, LoginType = p.type_desc, DefaultDatabase = p.default_database_name, LoginIsEnabled = IIF(p.is_disabled = 0,1,0), CanLogIn = COALESCE((SELECT TOP 1 1 FROM sys.server_permissions AS cosq WHERE cosq.grantee_principal_id = p.principal_id AND cosq.type = 'COSQ' AND cosq.state IN ('G','W') AND p.is_disabled = 0 ), 0), PermissionType = perm.type, PermissionState = perm.state, PermissionSql = CONCAT(perm.state_desc, N' ', perm.permission_name, N' TO ', QUOTENAME(p.name) COLLATE Latin1_General_CI_AS_KS_WS, N';' ), DateLoginCreated = p.create_date, DateLoginModified = p.modify_date FROM sys.server_principals AS p JOIN sys.server_permissions AS perm ON perm.grantee_principal_id = p.principal_id WHERE p.type IN ('S','U','G') AND p.name <> N'sa' AND p.name NOT LIKE N'##%##'; If you see any permissions, such as CONTROL SERVER that you want to remove, you would do so by using syntax like REVOKE CONTROL SERVER FROM 'MyDomain\Login';. Note that the PermissionSql column will return a GRANT or DENY statement, and you could simply modify that sql text to change the GRANT to REVOKE.

You aren't actually connected as the readonly user. If you select current_user(), you'll see an anonymous user that hasn't got any privileges on the database.

For a logical backup (dump), you need CONNECT on the database, USAGE on all schemas and SELECT on tables and sequences. The role must be defined as LOGIN. For a file system backup with pg_dump, you need a role with the REPLICATION setting.

mssql will need to login again before getting the new group. Easiest would be to restart that server. Alternate solution: Add the users that need to read the backup, to the sample_group, then chown mssql:sample_group /tmp/backup_dir chmod 2750 /tmp/backup_dir sqlcmd -U sa -P ********* -Q "backup database AdventureWorks TO disk='/tmp/backup_dir/1.bak'" Test if the users can read the backup (will depend on mssql's umask), if not: chmod a+r /tmp/backup_dir/1.bak

Not all users can be impersonated - one example is a https://docs.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15#c-creating-a-database-user-from-a-certificate . CREATE DATABASE Impersonate GO USE Impersonate CREATE MASTER KEY ENCRYPTION BY PASSWORD ='Str0ngPassword!' /* Example from MS Docs */ CREATE CERTIFICATE CarnationProduction50 WITH SUBJECT = 'Carnation Production Facility Supervisors', EXPIRY_DATE = '11/11/2023'; GO CREATE USER JinghaoLiu FOR CERTIFICATE CarnationProduction50; GO EXECUTE AS user = 'JinghaoLiu' Msg 15517, Level 16, State 1, Line 12 Cannot execute as the database principal because the principal "JinghaoLiu" does not exist, this type of principal cannot be impersonated, or you do not have permission. If you can show us the User definition (script it out) it might shed more light on the situation. But ultimately, this looks like an https://xyproblem.info/ . You should get the permissions from correct DMVs instead of impersonating users in a loop. This can get you started, add or filter the info as you see fit: SELECT u.name , u.type , u.type_desc , OBJECT_SCHEMA_NAME(t.object_id) , t.name , dp.permission_name FROM sys.database_principals AS u JOIN sys.database_permissions AS dp ON dp.grantee_principal_id = u.principal_id JOIN sys.tables AS t ON dp.major_id = t.object_id AND dp.class = 1 WHERE u.type IN ( 'A' /* = Application role */ , 'C' /* = User mapped to a certificate */ --, 'E' /* = External user from Azure Active Directory */ --, 'G' /* = Windows group */ , 'K' /* = User mapped to an asymmetric key */ --, 'R' /* = Database role */ , 'S' /* = SQL user */ , 'U' /* = Windows user */ , 'X' /* = External group from Azure Active Directory group or applications */ )

The question is which user you use to create the tables in schema0. Since you say that will be role0, you have to add FOR ROLE role0 to your ALTER DEFAULT PRIVILEGES statement.

You need to grant select also. I believe this is so that the uniqueness of uid and id can be verified. A grant insert without select could be misused by trying to insert a value, if it fails the user would know that that value already existed. Correction, the above is valid for the update. In your case, the returning is the culprit. Drop that and bar_dba can insert.

I was able to get it working by removing the user from the database first and then recreating it. In my case, this login was used in other databases, so I couldn't drop the login. And droping the user didn't work immediately because it also owned some schema. First, I had to find which schema it owned: use [development] go --- See which schemas the user owns: SELECT S.*, [SchemaOwnwer]=dp.name, dp.type_desc FROM SYS.schemas S INNER JOIN SYS.database_principals dp ON S.principal_id = dp.principal_id It showed that the user owned 2 schemas, so next I re-assign those to dbo: -- change them so that dbo owns them: alter authorization on schema::HangFire to dbo; go alter authorization on schema::db_owner to dbo; go I also had to remove the user from a few roles: exec sp_droprolemember 'db_owner', 'mywebuser'; go exec sp_droprolemember 'db_datareader', 'mywebuser'; go exec sp_droprolemember 'db_datawriter', 'mywebuser'; go Finally, I can drop the user drop user [mywebuser] Now, at last, I can add it back with proper settings: create user [mywebuser] for login [mywebuser]; go exec sp_addrolemember 'db_owner', [mywebuser]; go exec sp_addrolemember 'db_datareader', [mywebuser]; go exec sp_addrolemember 'db_datawriter', [mywebuser]; go ALTER USER [mywebuser] WITH DEFAULT_SCHEMA=[dbo]; go ALTER ROLE [db_owner] ADD MEMBER [mywebuser]; go grant connect to [mywebuser]; go