Re: grant permission question

anonymous_at_discussions.microsoft.com
Date: 03/24/04 

Date: Wed, 24 Mar 2004 13:48:39 -0800

Remarks
xp_cmdshell operates synchronously. Control is not
returned until the command shell command completes.

When you grant execute permissions to users, the users
can execute any operating-system command at the Microsoft
Windows NT® command shell that the account running
Microsoft SQL ServerT has the needed privileges to
execute.

By default, only members of the sysadmin fixed server
role can execute this extended stored procedure. You may,
however, grant other users permission to execute this
stored procedure.

When xp_cmdshell is invoked by a user who is a member of
the sysadmin fixed server role, xp_cmdshell will be
executed under the security context in which the SQL
Server service is running. When the user is not a member
of the sysadmin group, xp_cmdshell will impersonate the
SQL Server Agent proxy account, which is specified using
xp_sqlagent_proxy_account. If the proxy account is not
available, xp_cmdshell will fail. This is true only for
Microsoft® Windows NT® 4.0 and Windows 2000. On Windows
9.x, there is no impersonation and xp_cmdshell is always
executed under the security context of the Windows 9.x
user who started SQL Server.

Note In earlier versions, a user who was granted execute
permissions for xp_cmdshell ran the command in the
context of the MSSQLServer service's user account. SQL
Server could be configured (through a configuration
option) so that users who did not have sa access to SQL
Server could run xp_cmdshell in the context of the
SQLExecutiveCmdExec Windows NT account. In SQL Server
7.0, the account is called SQLAgentCmdExec. Users who are
not members of the sysadmin fixed server role now run
commands in the context of this account without
specifying a configuration change.

>-----Original Message-----
>under sa account,
>I run following script,
>
>exec sp_executesql N'GRANT EXECUTE ON dbo.xp_cmdshell TO
joe'
>
>
>
>
>now, I loginid using joe/joe
>
>run following script:
>xp_cmdshell ' dir *.exe'
>
>I got error:
>
>Msg 50001, Level 1, State 50001
>xpsql.cpp: Error 87 from GetProxyAccount on line 604
>
>
>
>Any other question, how do I Undo my grant execution
permission to joe?
>is there a query to ungrant execute on dbo.xp_cmdshell
to joe?
>
>
>.
>

Relevant Pages

  • Re: IIS 6.0 on Windows Server 2003
    ... If PHP insists on using CMD.EXE to execute the shellcommand on the ... server, then no, you have no choice -- you must give read permissions to the ... this would be a security vulnerability caused by PHP. ...
    (microsoft.public.inetserver.misc)
  • Execute Process Task not failing, but not executing the batch comm
    ... I can execute the following command from the windows "Run" prompt and it ... Might I have something set weird in SQL Server? ... server being by default configured to run as localsystem account, ...
    (microsoft.public.sqlserver.dts)
  • Re: Cant launch graphical apps from php exec() on Ubuntu 8.04 system.
    ... You can't open server programs in remote clients via HTTP. ... command on a WAMP stack, so I think the problem is likely to ... permission based, having just switched to linux, but I'm not sure. ... You can change the user account the webserver runs under, ...
    (comp.lang.php)
  • Re: Cant launch graphical apps from php exec() on Ubuntu 8.04 system.
    ... You can't open server programs in remote clients via HTTP. ... command on a WAMP stack, so I think the problem is likely to ... permission based, having just switched to linux, but I'm not sure. ... account if used as a service. ...
    (comp.lang.php)
  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... The error message is "Server Application Unavailable". ... The user account I've ... Please review the permissions outlined in this article. ... So I switched to that directory in Command Prompt and tried the ...
    (microsoft.public.dotnet.framework.aspnet)