[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Sybase - Extended Stored Procedures/XP SREVER..

Posted on 2000-03-15
5
Medium Priority
?
2,334 Views
Last Modified: 2012-05-04
Sybase Extended Stored Procedure -UNIX Privilages:
When writing/executing the 'C' code for creating a custom ESP, do I need to use user 'sybase' (with extensive unix privilages)?

If no, do we need user 'sybase' during the FIRST start of the XP SERVER.
 
Does the security context settings associated with xp_cmdshell(system supplied ESP) pertain to that one ESP or does it affect the user created ones too?
Pls. help me as I dont seem to get any info. which answers my question from SYBASE site.
0
Comment
Question by:1harsha
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:jkotek
ID: 2624533
Well, AFAIK the XP server runs under same OS account as the associated dataserver (sybase user by default) so you need that account to have the ASE up and running.
The xp_cmdshell gives you permissions of this user so you should prevent ordinary users from using it (so they cannot execute OS commands on server with permissions of sybase user).
The "xp_cmdshell context" config parameter prevents this and works ONLY with the xp_cmdshell. Permissions to other ESP can be granted/revoked as with normal stored procedures.
0
 

Author Comment

by:1harsha
ID: 2625009
Let me explain my prob. in detail.
I am a developer, trying to Use ESP's for replication.
Our DBA's dont like the idea of someone using 'SYBASE' user permissions.
-------------------
Assume
1.The ASE is up and running(DBA's job).
2.The DBA runs a system ESP(I dont care which one) to start the xp_server. OK, now the ASE & xp_server is  up and running.

Now for the questions
1.When I try to run a custom ESP would it have to run under the security context of the xp_server that is(user 'sybase')?
IF so,
IS there no way I could restrict permisisons (unix shell) of this custom ESP so that the DBA's would be pleased.?

By the way are you a DBA?
Real 'nice'(*^@$#@$) guys these DBA's.  
just kidding ....


















0
 
LVL 2

Accepted Solution

by:
jkotek earned 800 total points
ID: 2628139
Just checked my ASE install...

In fact during installation of ASE you can choose under which OS account the XP server runs (default is sybase user). The 'XP user' should have access to the dlls where you have the C code for ESPs and that is the only requierement.
I have looked in the docs, but cannot find how to change this XP user - maybye sybconfig (I run on NT, sorry)?.

I see two points where you can argument with dba:

1) let him change the user the XP server runs under to something 'safer' than sybase user (this won't affect the dataserver - it can run under different user than XP server) - that way the XP user won't have access to the dataserver's devices (files/partitions) where ASE stores data (they are usually owned by dataserver user [sybase]).

2) the access to the ESP is managed by standard db means - grant/revoke stuff.

BTW I am presale consultant from one of Sybase's distributors.
0
 

Author Comment

by:1harsha
ID: 2628367
OK, now you earned your points.
Thanks for the help.

0
 

Author Comment

by:1harsha
ID: 2628829
Jkotek:
This is a 'solved case':
I think if you read thru it you will notice that no matter what you need super user privilages. This round about fashion and stupid f*&**% approach that
SYBASE has leaves me with one option wait for a day when I can switch to UDB or Oracle.
No wonder the Share prive nor the market share ever goes up.

Case ID: 10376300 Product: Adaptive Server Enterprise
Open Date: 03/27/1998 12:37:58 OS: HP-UX 10.20
Version/EBF: 1150 Generic Platform: HP 9000/800 Generic
Problem Description:
xp server xp_cmdshell error -  user access denied Failed to change the user context when you executed xp_cmdshell 'ls' from isql using a server  login that matched your unix login and sp_configure ' xp_cmdshell context ' set to 1
 
Tip or Workaround:
 
Resolution:
The unix user id, for example sybase, must have super-user root privilege so that the unix user id with the same ASE userid can execute xp_cmdshell with their unix user account's privileges and with sp_configure " xp_cmdshell context " set to 1
 
Other Sources Related to Issue(Type - Location):
TechNote -  
TechNote -

0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question