Re: xp_cmdShell
From: Dan Guzman (danguzman_at_nospam-earthlink.net)
Date: 05/14/04
- Next message: Julie: "xp_cmdShell"
- Previous message: shank: "WHERE and CASE"
- In reply to: simon: "Re: xp_cmdShell"
- Next in thread: Rodney Mullins: "Re: xp_cmdShell"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 14 May 2004 08:28:01 -0500
xp_cmdshell runs under the security context of the SQL Agent Proxy account
when executed by non-sysadmin users. This requires that you allow
non-sysadmin users to execute xp_cmdshell (uncheck the 'Only users with
sysadmin privileges...' checkbox under SQL Server Agent properties --> Job
System) and specify a Windows account for the SQL Agent proxy with the
permissions needed to run you application).
Furthermore, the SQL Server service account needs special permissions in
order to switch security context to the proxy account. These permissions
are assigned automatically when the service account is configured during
installation or changed with Enterprise Manager but not when the service
account is changed by other means. See Service Accounts in the SQL 2000
Books Online <instsql.chm::/in_overview_6k1f.htm> for details of the needed
permissions.
> I don't want that my read user has execute permission on xp_cmdShell.
> I thought if he has execute permission for my sp, which owner is DBO, that
inside SP I can do anything.
Direct xp_cmdshell execute permissions are not needed as long as the
ownership chain is unbroken. This requires that your user database be owned
by 'sa' and you turn on the cross-database chaining option in your user
database. Note that you should allow cross-database chaining in an sa-owned
database only if sysadmin role members are the only users with permissions
to create dbo-owned objects in that database.
> Is there any other way?
I suggest you don't create the text file in a trigger. Consider performing
the task asynchronously. One method to accomplish this is to insert the
data into a staging table and schedule a separate task to create files.
-- Hope this helps. Dan Guzman SQL Server MVP "simon" <simon.zupan@stud-moderna.si> wrote in message news:OVQljIbOEHA.624@TK2MSFTNGP11.phx.gbl... If I set the execute permission for 'xp_cmdshell' to my read user I get the following error: A severe error occurred on the current command. The results, if any, should be discarded. xpsql.cpp: Error 1813 from GetProxyAccount on line 472 Any suggestion? Thank you, Simon "simon" <simon.zupan@stud-moderna.si> wrote in message news:uGrouFbOEHA.2164@TK2MSFTNGP12.phx.gbl... I have user with read permissions on my tables and execute permission on my SP. In SP(owner is DBO) I update table(owner is DBO), and on update the trigger is fired witch write some data into the text file in my disk. I get an error message: EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' Why? I don't want that my read user has execute permission on xp_cmdShell. I thought if he has execute permission for my sp, which owner is DBO, that inside SP I can do anything. Is there any other way? thank you, Simon
- Next message: Julie: "xp_cmdShell"
- Previous message: shank: "WHERE and CASE"
- In reply to: simon: "Re: xp_cmdShell"
- Next in thread: Rodney Mullins: "Re: xp_cmdShell"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
