Solved

Sybase - Extended Stored Procedures/XP SREVER..

Posted on 2000-03-15
5
2,068 Views
Last Modified: 2012-05-04
Sybase Extended Stored Procedure -UNIX Privilages:
When writing/executing the 'C' code for creating a custom ESP, do I need to use user 'sybase' (with extensive unix privilages)?

If no, do we need user 'sybase' during the FIRST start of the XP SERVER.
 
Does the security context settings associated with xp_cmdshell(system supplied ESP) pertain to that one ESP or does it affect the user created ones too?
Pls. help me as I dont seem to get any info. which answers my question from SYBASE site.
0
Comment
Question by:1harsha
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:jkotek
ID: 2624533
Well, AFAIK the XP server runs under same OS account as the associated dataserver (sybase user by default) so you need that account to have the ASE up and running.
The xp_cmdshell gives you permissions of this user so you should prevent ordinary users from using it (so they cannot execute OS commands on server with permissions of sybase user).
The "xp_cmdshell context" config parameter prevents this and works ONLY with the xp_cmdshell. Permissions to other ESP can be granted/revoked as with normal stored procedures.
0
 

Author Comment

by:1harsha
ID: 2625009
Let me explain my prob. in detail.
I am a developer, trying to Use ESP's for replication.
Our DBA's dont like the idea of someone using 'SYBASE' user permissions.
-------------------
Assume
1.The ASE is up and running(DBA's job).
2.The DBA runs a system ESP(I dont care which one) to start the xp_server. OK, now the ASE & xp_server is  up and running.

Now for the questions
1.When I try to run a custom ESP would it have to run under the security context of the xp_server that is(user 'sybase')?
IF so,
IS there no way I could restrict permisisons (unix shell) of this custom ESP so that the DBA's would be pleased.?

By the way are you a DBA?
Real 'nice'(*^@$#@$) guys these DBA's.  
just kidding ....


















0
 
LVL 2

Accepted Solution

by:
jkotek earned 200 total points
ID: 2628139
Just checked my ASE install...

In fact during installation of ASE you can choose under which OS account the XP server runs (default is sybase user). The 'XP user' should have access to the dlls where you have the C code for ESPs and that is the only requierement.
I have looked in the docs, but cannot find how to change this XP user - maybye sybconfig (I run on NT, sorry)?.

I see two points where you can argument with dba:

1) let him change the user the XP server runs under to something 'safer' than sybase user (this won't affect the dataserver - it can run under different user than XP server) - that way the XP user won't have access to the dataserver's devices (files/partitions) where ASE stores data (they are usually owned by dataserver user [sybase]).

2) the access to the ESP is managed by standard db means - grant/revoke stuff.

BTW I am presale consultant from one of Sybase's distributors.
0
 

Author Comment

by:1harsha
ID: 2628367
OK, now you earned your points.
Thanks for the help.

0
 

Author Comment

by:1harsha
ID: 2628829
Jkotek:
This is a 'solved case':
I think if you read thru it you will notice that no matter what you need super user privilages. This round about fashion and stupid f*&**% approach that
SYBASE has leaves me with one option wait for a day when I can switch to UDB or Oracle.
No wonder the Share prive nor the market share ever goes up.

Case ID: 10376300 Product: Adaptive Server Enterprise
Open Date: 03/27/1998 12:37:58 OS: HP-UX 10.20
Version/EBF: 1150 Generic Platform: HP 9000/800 Generic
Problem Description:
xp server xp_cmdshell error -  user access denied Failed to change the user context when you executed xp_cmdshell 'ls' from isql using a server  login that matched your unix login and sp_configure ' xp_cmdshell context ' set to 1
 
Tip or Workaround:
 
Resolution:
The unix user id, for example sybase, must have super-user root privilege so that the unix user id with the same ASE userid can execute xp_cmdshell with their unix user account's privileges and with sp_configure " xp_cmdshell context " set to 1
 
Other Sources Related to Issue(Type - Location):
TechNote -  
TechNote -

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
sybase sql anywhere unload database 3 790
SQL Syntax 6 380
SQL Syntax Select Top in each group 2 169
InterSystems Caché OPEN QUERY 4 416
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now