xp_cmdShell  
Author Message
JennyT





PostPosted: Fri May 14 07:49:34 CDT 2004 Top

SQL Server Developer >> xp_cmdShell

This is a multi-part message in MIME format.

------=_NextPart_000_0013_01C439C1.DA7AAA80
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

I have user with read permissions on my tables and execute permission on =
my SP.

In SP(owner is DBO) I update table(owner is DBO), and on update the =
trigger is fired witch write some data into the text file in my disk.

I get an error message:
EXECUTE permission denied on object 'xp_cmdshell', database 'master', =
owner 'dbo'

Why?
I don't want that my read user has execute permission on xp_cmdShell.
I thought if he has execute permission for my sp, which owner is DBO, =
that inside SP I can do anything.
Is there any other way?

thank you,
Simon


------=_NextPart_000_0013_01C439C1.DA7AAA80
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-2">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>I have user with read permissions on my =
tables=20
and&nbsp;execute permission on my SP.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>In SP(owner is DBO)&nbsp;I update =
table(owner is=20
DBO), and on update the trigger is fired witch write some data =
into&nbsp;the=20
text file in my disk.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I get an error message:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>EXECUTE permission denied on object =
'xp_cmdshell',=20
database 'master', owner 'dbo'</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Why?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I don't want that my read user has =
execute=20
permission on xp_cmdShell.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I thought if he has execute permission =
for my sp,=20
which owner is DBO, that inside SP I can do anything.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Is there any other way?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thank you,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Simon</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0013_01C439C1.DA7AAA80--

SQL Server66  
 
 
simon





PostPosted: Fri May 14 07:49:34 CDT 2004 Top

SQL Server Developer >> xp_cmdShell This is a multi-part message in MIME format.

------=_NextPart_000_001F_01C439C2.AC19B0E0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

If I set the execute permission for 'xp_cmdshell' to my read user I get =
the following error:

A severe error occurred on the current command. The results, if any, =
should be discarded. xpsql.cpp: Error 1813 from GetProxyAccount on line =
472=20
Any suggestion?

Thank you,
Simon


I have user with read permissions on my tables and execute permission =
on my SP.

In SP(owner is DBO) I update table(owner is DBO), and on update the =
trigger is fired witch write some data into the text file in my disk.

I get an error message:
EXECUTE permission denied on object 'xp_cmdshell', database 'master', =
owner 'dbo'

Why?
I don't want that my read user has execute permission on xp_cmdShell.
I thought if he has execute permission for my sp, which owner is DBO, =
that inside SP I can do anything.
Is there any other way?

thank you,
Simon


------=_NextPart_000_001F_01C439C2.AC19B0E0
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-2">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>If I set the execute permission for =
'xp_cmdshell'=20
to my read user I get the following error:</FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>
<H2><FONT size=3D3>A severe error occurred on the current command. The =
results, if=20
any, should be discarded. xpsql.cpp: Error 1813 from GetProxyAccount on =
line=20
472</FONT> </H2>
<DIV>Any suggestion?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Thank you,</DIV>
<DIV>Simon</DIV></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"simon" &lt;<A=20
=

A>&gt;=20

=

@TK2MSFTNGP12.phx.gbl</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>I have user with read permissions on =
my tables=20
and&nbsp;execute permission on my SP.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>In SP(owner is DBO)&nbsp;I update =
table(owner is=20
DBO), and on update the trigger is fired witch write some data =
into&nbsp;the=20
text file in my disk.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I get an error message:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>EXECUTE permission denied on object=20
'xp_cmdshell', database 'master', owner 'dbo'</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Why?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I don't want that my read user has =
execute=20
permission on xp_cmdShell.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I thought if he has execute =
permission for my sp,=20
which owner is DBO, that inside SP I can do anything.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Is there any other way?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thank you,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Simon</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_001F_01C439C2.AC19B0E0--

 
 
Rodney





PostPosted: Fri May 14 07:53:03 CDT 2004 Top

SQL Server Developer >> xp_cmdShell This is a multi-part message in MIME format.

------=_NextPart_000_011D_01C43990.DEC39510
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

simon,

xp_cmdShell is an extended stored procedure and has separate permissions =
from regular stored procs. You need to provide execute permission the =
usergroup/user.


I have user with read permissions on my tables and execute permission =
on my SP.

In SP(owner is DBO) I update table(owner is DBO), and on update the =
trigger is fired witch write some data into the text file in my disk.

I get an error message:
EXECUTE permission denied on object 'xp_cmdshell', database 'master', =
owner 'dbo'

Why?
I don't want that my read user has execute permission on xp_cmdShell.
I thought if he has execute permission for my sp, which owner is DBO, =
that inside SP I can do anything.
Is there any other way?

thank you,
Simon


------=_NextPart_000_011D_01C43990.DEC39510
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-2">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DVerdana size=3D2>simon,</FONT></DIV>
<DIV><FONT face=3DVerdana size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DVerdana size=3D2>xp_cmdShell is an extended stored =
procedure and=20
has separate permissions from regular stored procs.&nbsp; You need to =
provide=20
execute permission the usergroup/user.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"simon" &lt;<A=20
=

A>&gt;=20

=

@TK2MSFTNGP12.phx.gbl</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>I have user with read permissions on =
my tables=20
and&nbsp;execute permission on my SP.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>In SP(owner is DBO)&nbsp;I update =
table(owner is=20
DBO), and on update the trigger is fired witch write some data =
into&nbsp;the=20
text file in my disk.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I get an error message:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>EXECUTE permission denied on object=20
'xp_cmdshell', database 'master', owner 'dbo'</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Why?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I don't want that my read user has =
execute=20
permission on xp_cmdShell.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I thought if he has execute =
permission for my sp,=20
which owner is DBO, that inside SP I can do anything.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Is there any other way?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thank you,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Simon</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_011D_01C43990.DEC39510--

 
 
simon





PostPosted: Fri May 14 08:12:41 CDT 2004 Top

SQL Server Developer >> xp_cmdShell This is a multi-part message in MIME format.

------=_NextPart_000_0031_01C439C5.E6A57480
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

When I update my table the trigger is fired:
CREATE TRIGGER posodobiCachMedijev=20
ON dbo.cpoMedium=20
FOR INSERT, UPDATE, DELETE=20
AS






If I set the permission for my user on xp_cmdShell I get some strange =
error:

A severe error occurred on the current command. The results, if any, =
should be discarded. xpsql.cpp: Error 1813 from GetProxyAccount on line =
472=20

Why?

If I update my table from sqlQueryanalyzer like dbo user, then =
everything is fine.

Thank you,
Simon


simon,

xp_cmdShell is an extended stored procedure and has separate =
permissions from regular stored procs. You need to provide execute =
permission the usergroup/user.


I have user with read permissions on my tables and execute =
permission on my SP.

In SP(owner is DBO) I update table(owner is DBO), and on update the =
trigger is fired witch write some data into the text file in my disk.

I get an error message:
EXECUTE permission denied on object 'xp_cmdshell', database =
'master', owner 'dbo'

Why?
I don't want that my read user has execute permission on =
xp_cmdShell.
I thought if he has execute permission for my sp, which owner is =
DBO, that inside SP I can do anything.
Is there any other way?

thank you,
Simon


------=_NextPart_000_0031_01C439C5.E6A57480
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-2">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>When I update my table the trigger is=20
fired:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>CREATE TRIGGER posodobiCachMedijev =
<BR>ON=20
dbo.cpoMedium <BR>FOR INSERT, UPDATE, DELETE <BR>AS</FONT></DIV>


varchar(40)</FONT></DIV>

'"C:\Inetpub\wwwroot\cpo\odvisnost\mediji.txt"'<BR>Select =



,no_output</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>If I set the permission for my user on=20
xp_cmdShell&nbsp;I get some strange error:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><FONT size=3D3>A severe error occurred =
on the current=20
command. The results, if any, should be discarded. xpsql.cpp: Error 1813 =
from=20
GetProxyAccount on line 472</FONT> </FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial>Why?</FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial>If I update my table from sqlQueryanalyzer like =
dbo user,=20
then everything is fine.</FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial>Thank you,</FONT></DIV>
<DIV><FONT face=3DArial>Simon</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rodney Mullins" &lt;<A=20

wrote in=20
message <A=20
=

@TK2MSFTNGP10.phx.gbl</A>...</DIV>
<DIV><FONT face=3DVerdana size=3D2>simon,</FONT></DIV>
<DIV><FONT face=3DVerdana size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DVerdana size=3D2>xp_cmdShell is an extended stored =
procedure and=20
has separate permissions from regular stored procs.&nbsp; You need to =
provide=20
execute permission the usergroup/user.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"simon" &lt;<A=20
=

A>&gt;=20

=

@TK2MSFTNGP12.phx.gbl</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>I have user with read permissions =
on my tables=20
and&nbsp;execute permission on my SP.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>In SP(owner is DBO)&nbsp;I update =
table(owner=20
is DBO), and on update the trigger is fired witch write some data=20
into&nbsp;the text file in my disk.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I get an error =
message:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>EXECUTE permission denied on object =

'xp_cmdshell', database 'master', owner 'dbo'</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Why?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I don't want that my read user has =
execute=20
permission on xp_cmdShell.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I thought if he has execute =
permission for my=20
sp, which owner is DBO, that inside SP I can do =
anything.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Is there any other =
way?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thank you,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Simon</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0031_01C439C5.E6A57480--

 
 
Dan





PostPosted: Fri May 14 08:28:01 CDT 2004 Top

SQL Server Developer >> xp_cmdShell xp_cmdshell runs under the security context of the SQL Agent Proxy account
when executed by non-sysadmin users. This requires that you allow
non-sysadmin users to execute xp_cmdshell (uncheck the 'Only users with
sysadmin privileges...' checkbox under SQL Server Agent properties --> Job
System) and specify a Windows account for the SQL Agent proxy with the
permissions needed to run you application).

Furthermore, the SQL Server service account needs special permissions in
order to switch security context to the proxy account. These permissions
are assigned automatically when the service account is configured during
installation or changed with Enterprise Manager but not when the service
account is changed by other means. See Service Accounts in the SQL 2000
Books Online <instsql.chm::/in_overview_6k1f.htm> for details of the needed
permissions.

> I don't want that my read user has execute permission on xp_cmdShell.
> I thought if he has execute permission for my sp, which owner is DBO, that
inside SP I can do anything.

Direct xp_cmdshell execute permissions are not needed as long as the
ownership chain is unbroken. This requires that your user database be owned
by 'sa' and you turn on the cross-database chaining option in your user
database. Note that you should allow cross-database chaining in an sa-owned
database only if sysadmin role members are the only users with permissions
to create dbo-owned objects in that database.

> Is there any other way?

I suggest you don't create the text file in a trigger. Consider performing
the task asynchronously. One method to accomplish this is to insert the
data into a staging table and schedule a separate task to create files.

--
Hope this helps.

Dan Guzman
SQL Server MVP



If I set the execute permission for 'xp_cmdshell' to my read user I get the
following error:

A severe error occurred on the current command. The results, if any, should
be discarded. xpsql.cpp: Error 1813 from GetProxyAccount on line 472
Any suggestion?

Thank you,
Simon


I have user with read permissions on my tables and execute permission on
my SP.

In SP(owner is DBO) I update table(owner is DBO), and on update the
trigger is fired witch write some data into the text file in my disk.

I get an error message:
EXECUTE permission denied on object 'xp_cmdshell', database 'master',
owner 'dbo'

Why?
I don't want that my read user has execute permission on xp_cmdShell.
I thought if he has execute permission for my sp, which owner is DBO, that
inside SP I can do anything.
Is there any other way?

thank you,
Simon



 
 
Julie





PostPosted: Fri May 14 08:29:38 CDT 2004 Top

SQL Server Developer >> xp_cmdShell The following is cut from bol
"By default, only members of the sysadmin fixed server
role can execute this extended stored procedure. You may,
however, grant other users permission to execute this
stored procedure. "

J


>-----Original Message-----
>I have user with read permissions on my tables and
execute permission on my SP.
>
>In SP(owner is DBO) I update table(owner is DBO), and on
update the trigger is fired witch write some data into the
text file in my disk.
>
>I get an error message:
>EXECUTE permission denied on object 'xp_cmdshell',
database 'master', owner 'dbo'
>
>Why?
>I don't want that my read user has execute permission on
xp_cmdShell.
>I thought if he has execute permission for my sp, which
owner is DBO, that inside SP I can do anything.
>Is there any other way?
>
>thank you,
>Simon
>
>