RE: xp_cmdshell, ownership chaining, sql 2000

---

• From: Lito <Lito@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 16 Jun 2009 17:25:01 -0700

---

Check the Surface Area Configuration feature for xp_cmdshell to make sure it
is enable.

"allmhuran" wrote:

Boy am I stumped.

SQL Server 2000 version 8.00.2039
Database owned by sa
Cross database ownership chaining enabled
A procedure (1) in the dbo schema
The procedure is called by a crystal report.
The procedure calls a second procedure (2) in the same database
The second procedure calls xp_cmdshell (in order to get a directory
listing for files which need to be imported to populate the report)
The crystal report connection is made with a user with explicit
execute permission on (1) (actually, 2 as well)

If I log in to SQL Server through SSMS 2005 using the same user as the
crystal report, I get the following error when attempting to execute
the procedure: "A severe error occurred on the current command. The
results, if any, should be discarded."

If I comment out the call to (2) (and thus the call to xp_cmdshell)
then I am able to successfully execute (1) through SSMS.

It was my understanding that with sa as the database owner, and dbo as
the owner of (1), that I would get an unbroken ownership chain through
to master in order to execute xp_cmdshell as long as the crystal login
had explicit execute permission on (1). But that doesn't seem to be
the case.

Under this scenario, is xp_cmdshell going to execute under the
security contect of the sql agent or sa? If the agent, then the
problem may be that under the sql agent configuration in enterprise
manager, the checkbox "only users with sysadmin priviledges can
execute cmdexec..." is checked. True?


For added giggles, if I run the crystal report (which has proc (1) as
its data source, and which I have set the location of many times in
order to confirm that it was actually calling the same proc), using
the same login that fails if I go through SSMS to call (1).... then it
works and returns data. But let's not talk about that.

.

---

• References:
  • xp_cmdshell, ownership chaining, sql 2000
    • From: allmhuran

• Prev by Date: Re: What do people spend on self-education in the trade?
• Next by Date: Re: Left Join vs Right JOIN
• Previous by thread: Re: xp_cmdshell, ownership chaining, sql 2000
• Next by thread: Need SQL query help ....
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Execute Persmission denied on object sp_OACreate ... > SQL Server is creating a job behind the scenes. ... > permissions. ... > SA account password and gaining access to the database. ... >>> How can get a user permissions to execute these stored procedures ... (microsoft.public.sqlserver.security) xp_cmdshell, ownership chaining, sql 2000 ... Cross database ownership chaining enabled ... The procedure is called by a crystal report. ... If I log in to SQL Server through SSMS 2005 using the same user as the ... I get the following error when attempting to execute ... (microsoft.public.sqlserver.programming) Re: Data migration questions? ... Use SSIS or the SqlBulkCopy class to import the data into SQL Server. ... Anyone who has read my books knows that I'm not in favor of including BLOBs in the database. ... "Mervin Williams" wrote in message ... should I use a DataSet to bring the data down to the local machine that will run the code and execute the transformation logic from it. ... (microsoft.public.dotnet.framework.adonet) Re: Problem with bulk load security. ... Then I defined the procedure using 'with execute as self'. ... database is trustworthy, you cannot get rights outside the database. ... One is to make the database trustworthy, ... Links for SQL Server Books Online: ... (microsoft.public.sqlserver.security) ODBC Login ... I am using an ODBC connection to a SQL Server 2000 database to retrieve ... information for a Crystal Report. ... (microsoft.public.sqlserver.odbc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)