Re: stored procedure xp_cmdshell

From: Aaron Weiker (aaron_at_sqlprogrammer.org)
Date: 01/25/05

Next message: Patrick: "view calling a view problem"
Previous message: Aaron Weiker: "Re: Getting all items from result set where any item has matching crit"
In reply to: !!bogus: "stored procedure xp_cmdshell"
Next in thread: !!bogus: "Re: stored procedure xp_cmdshell"
Reply: !!bogus: "Re: stored procedure xp_cmdshell"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 24 Jan 2005 18:53:57 -0800

It is generally a very bad thing to ever grant xp_cmdshell to a anyone. Is
there any reason that you can't create this directing from you ASP.NET application?
Granted you'll have to give this permission to the user ASP.NET is running
at. However you can now at least restrict the directories and permissions
you are granting to instead of opening up your entire SQL Server.

--
Aaron Weiker
http://aaronweiker.com/
> Hi,
> 
> Here is a small issue. I making an ASP.NET website were users can
> upload images. I was originally planning to have the images to SQL,
> but then thought that I'd upload them to a regular directory and keep
> just the name and location of the file in the sql table. Now, to keep
> things more organized, I want to allow each user to have their own
> directory and they can create subdirectories inside their folder. I
> found master.dbo.xp_cmdshell a good candidate for what I need, but I
> also found that I would have to give the user permissions on the
> xp_cmdshell stored procedure and of course the master database (which
> I don't want to do).
> 
> How would I fix the problem? I thought that inside my stored
> procedure, I can somehow grant the user temporary permission on the
> master database and the xp.. stored procedure.
> 
> Is there a better solution?
>

Next message: Patrick: "view calling a view problem"
Previous message: Aaron Weiker: "Re: Getting all items from result set where any item has matching crit"
In reply to: !!bogus: "stored procedure xp_cmdshell"
Next in thread: !!bogus: "Re: stored procedure xp_cmdshell"
Reply: !!bogus: "Re: stored procedure xp_cmdshell"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: Security context of stored procedure
... Suppose there are three users in a database TEST_CHAIN, ... simple stored procedure: ... also grant it to test_sp2 ... SELECT permission denied on object 'authors', database 'test_chain', owner ...
(microsoft.public.sqlserver.security)
Re: Complete Neophyte Question(s)
... You should not have to go Google to find out what WITH GRANT means. ... Server comes with online documentation on you hard disk. ... WITH GRANT is one of the more esotheric features in SQL Server in my ... Or does that depend on the permission? ...
(microsoft.public.sqlserver.security)
RE: ALTER PROCEDURE permission
... SQL Books On-line - GRANT Object Permissions ... SQL Books On-line - ALTER PROCEDURE ... this permission when you are granted CREATE PROCEDURE permission but this ...
(microsoft.public.sqlserver.server)
Re: INSERT Permission
... Please don't post the same question independently to multiple groups. ... SQL FAQ links: ... > I have a user with read permission on the table and execute permission ... > The stored procedure inserts the record in the table. ...
(microsoft.public.sqlserver.security)
Re: Security within a stored procedure
... Are you running dynamic SQL inside the sproc? ... permissions on base tables as long as the code in the stored procedure ... >data in the SQL Server database. ... >permission on the stored procedure but SQL still insists ...
(microsoft.public.sqlserver.security)