Solved

Trying to run xp_cmdshell as a non-sysadmin user

Posted on 2008-06-11
11
1,260 Views
Last Modified: 2011-10-03
I need to be able to run xp_cmdshell from a sp in my database.  This runs fine for me, as I'm a sysadmin user, but when the actual user, who is not, tries to run it, it fails.

So I created a sql server login call xp_cmdshell_user which has sysadmin rights and I'm trying to switch the login to that user as my first step in my sp using the following:

EXECUTE AS LOGIN = 'xp_cmdshell_user'

When I run the sp as myself, again no problem.

When I run it as a non-sysadmin user I get the following error:

Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

I understand I need to set some sort of impersonation but I can't seem to get this to work with a windows login.  The current login trying to run the sp is MyDomain\TestUser.

I tried the following command:

GRANT IMPERSONATE ON USER:: 'MyDomain\TestUser' TO 'xp_cmdshell_user'

I get:
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near 'MyDomain\TestUser'.

0
Comment
Question by:Fraser_Admin
  • 5
  • 4
  • 2
11 Comments
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759614
have you given permission to the sp

GRANT  EXECUTE  ON [dbo].[SPNAME]  TO [USERNAME]
GO
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21759620
try this:

GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO 'xp_cmdshell_user'
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759637
Also, take a look at this link...there is a sproc for doing this for non-sysadmin users:

http://sqlblog.com/blogs/tibor_karaszi/archive/2007/08/23/xp-cmdshell-and-permissions.aspx


EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT

 
0
 

Author Comment

by:Fraser_Admin
ID: 21759657
GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO xp_cmdshell_user
execute as login = 'MyDomain\testuser'
use myDatabase
exec process_Lab_Load
revert

I get error:
Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

Yes the MyDomain\TestUser has permissions to execute the sp.  xp_cmdshell_user is sysadmin and dbo on the database so it as well has permission.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759669
see my comment after that one...I think it is the way to go.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:Fraser_Admin
ID: 21759708
OK I was calling my sp from SSMS and doing the impersonate before the actual call, so now i moved the impersonate into the sp and i get this error:

Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759738
you may not need to do the impersonation...did you use the sp_xp_cmdshell_proxy_account procedure?
0
 

Author Comment

by:Fraser_Admin
ID: 21759760
shouldn't need that for a sysadmin user.  i moved the impersonate to the sp and now it seems to work fine.  i forgot to take it out before my call and that was why i was getting that error.

now i get this one:

Ad hoc access to OLE DB provider 'MICROSOFT.JET.OLEDB.4.0' has been denied. You must access this provider through a linked server.

when i run this as me no problem, but as soon as i try to run as test user i get this message.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759776
thats a whole different question all together...must be something else you're doing in your proc.
0
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759806
did you give permission on the proc?
0
 

Author Comment

by:Fraser_Admin
ID: 21759853
hang on i'll open a new question, as you said it is something different.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's review the features of new SQL Server 2012 (Denali CTP3). It listed as below: PERCENT_RANK(): PERCENT_RANK() function will returns the percentage value of rank of the values among its group. PERCENT_RANK() function value always in be…
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now