Solved

Trying to run xp_cmdshell as a non-sysadmin user

Posted on 2008-06-11
11
1,271 Views
Last Modified: 2011-10-03
I need to be able to run xp_cmdshell from a sp in my database.  This runs fine for me, as I'm a sysadmin user, but when the actual user, who is not, tries to run it, it fails.

So I created a sql server login call xp_cmdshell_user which has sysadmin rights and I'm trying to switch the login to that user as my first step in my sp using the following:

EXECUTE AS LOGIN = 'xp_cmdshell_user'

When I run the sp as myself, again no problem.

When I run it as a non-sysadmin user I get the following error:

Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

I understand I need to set some sort of impersonation but I can't seem to get this to work with a windows login.  The current login trying to run the sp is MyDomain\TestUser.

I tried the following command:

GRANT IMPERSONATE ON USER:: 'MyDomain\TestUser' TO 'xp_cmdshell_user'

I get:
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near 'MyDomain\TestUser'.

0
Comment
Question by:Fraser_Admin
  • 5
  • 4
  • 2
11 Comments
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759614
have you given permission to the sp

GRANT  EXECUTE  ON [dbo].[SPNAME]  TO [USERNAME]
GO
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21759620
try this:

GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO 'xp_cmdshell_user'
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759637
Also, take a look at this link...there is a sproc for doing this for non-sysadmin users:

http://sqlblog.com/blogs/tibor_karaszi/archive/2007/08/23/xp-cmdshell-and-permissions.aspx


EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT

 
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Fraser_Admin
ID: 21759657
GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO xp_cmdshell_user
execute as login = 'MyDomain\testuser'
use myDatabase
exec process_Lab_Load
revert

I get error:
Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

Yes the MyDomain\TestUser has permissions to execute the sp.  xp_cmdshell_user is sysadmin and dbo on the database so it as well has permission.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759669
see my comment after that one...I think it is the way to go.
0
 

Author Comment

by:Fraser_Admin
ID: 21759708
OK I was calling my sp from SSMS and doing the impersonate before the actual call, so now i moved the impersonate into the sp and i get this error:

Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759738
you may not need to do the impersonation...did you use the sp_xp_cmdshell_proxy_account procedure?
0
 

Author Comment

by:Fraser_Admin
ID: 21759760
shouldn't need that for a sysadmin user.  i moved the impersonate to the sp and now it seems to work fine.  i forgot to take it out before my call and that was why i was getting that error.

now i get this one:

Ad hoc access to OLE DB provider 'MICROSOFT.JET.OLEDB.4.0' has been denied. You must access this provider through a linked server.

when i run this as me no problem, but as soon as i try to run as test user i get this message.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759776
thats a whole different question all together...must be something else you're doing in your proc.
0
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759806
did you give permission on the proc?
0
 

Author Comment

by:Fraser_Admin
ID: 21759853
hang on i'll open a new question, as you said it is something different.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sqlquerystress - To test db performance 8 39
MS SQL with ODBC 5 34
sql 2014,  lock limit 5 29
Query Help - MSSQL - Averages 5 25
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now