Solved

Trying to run xp_cmdshell as a non-sysadmin user

Posted on 2008-06-11
11
1,288 Views
Last Modified: 2011-10-03
I need to be able to run xp_cmdshell from a sp in my database.  This runs fine for me, as I'm a sysadmin user, but when the actual user, who is not, tries to run it, it fails.

So I created a sql server login call xp_cmdshell_user which has sysadmin rights and I'm trying to switch the login to that user as my first step in my sp using the following:

EXECUTE AS LOGIN = 'xp_cmdshell_user'

When I run the sp as myself, again no problem.

When I run it as a non-sysadmin user I get the following error:

Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

I understand I need to set some sort of impersonation but I can't seem to get this to work with a windows login.  The current login trying to run the sp is MyDomain\TestUser.

I tried the following command:

GRANT IMPERSONATE ON USER:: 'MyDomain\TestUser' TO 'xp_cmdshell_user'

I get:
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near 'MyDomain\TestUser'.

0
Comment
Question by:Fraser_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759614
have you given permission to the sp

GRANT  EXECUTE  ON [dbo].[SPNAME]  TO [USERNAME]
GO
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21759620
try this:

GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO 'xp_cmdshell_user'
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759637
Also, take a look at this link...there is a sproc for doing this for non-sysadmin users:

http://sqlblog.com/blogs/tibor_karaszi/archive/2007/08/23/xp-cmdshell-and-permissions.aspx


EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT

 
0
 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

 

Author Comment

by:Fraser_Admin
ID: 21759657
GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO xp_cmdshell_user
execute as login = 'MyDomain\testuser'
use myDatabase
exec process_Lab_Load
revert

I get error:
Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

Yes the MyDomain\TestUser has permissions to execute the sp.  xp_cmdshell_user is sysadmin and dbo on the database so it as well has permission.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759669
see my comment after that one...I think it is the way to go.
0
 

Author Comment

by:Fraser_Admin
ID: 21759708
OK I was calling my sp from SSMS and doing the impersonate before the actual call, so now i moved the impersonate into the sp and i get this error:

Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759738
you may not need to do the impersonation...did you use the sp_xp_cmdshell_proxy_account procedure?
0
 

Author Comment

by:Fraser_Admin
ID: 21759760
shouldn't need that for a sysadmin user.  i moved the impersonate to the sp and now it seems to work fine.  i forgot to take it out before my call and that was why i was getting that error.

now i get this one:

Ad hoc access to OLE DB provider 'MICROSOFT.JET.OLEDB.4.0' has been denied. You must access this provider through a linked server.

when i run this as me no problem, but as soon as i try to run as test user i get this message.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759776
thats a whole different question all together...must be something else you're doing in your proc.
0
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759806
did you give permission on the proc?
0
 

Author Comment

by:Fraser_Admin
ID: 21759853
hang on i'll open a new question, as you said it is something different.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question