Solved

Trying to run xp_cmdshell as a non-sysadmin user

Posted on 2008-06-11
11
1,278 Views
Last Modified: 2011-10-03
I need to be able to run xp_cmdshell from a sp in my database.  This runs fine for me, as I'm a sysadmin user, but when the actual user, who is not, tries to run it, it fails.

So I created a sql server login call xp_cmdshell_user which has sysadmin rights and I'm trying to switch the login to that user as my first step in my sp using the following:

EXECUTE AS LOGIN = 'xp_cmdshell_user'

When I run the sp as myself, again no problem.

When I run it as a non-sysadmin user I get the following error:

Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

I understand I need to set some sort of impersonation but I can't seem to get this to work with a windows login.  The current login trying to run the sp is MyDomain\TestUser.

I tried the following command:

GRANT IMPERSONATE ON USER:: 'MyDomain\TestUser' TO 'xp_cmdshell_user'

I get:
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near 'MyDomain\TestUser'.

0
Comment
Question by:Fraser_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759614
have you given permission to the sp

GRANT  EXECUTE  ON [dbo].[SPNAME]  TO [USERNAME]
GO
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21759620
try this:

GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO 'xp_cmdshell_user'
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759637
Also, take a look at this link...there is a sproc for doing this for non-sysadmin users:

http://sqlblog.com/blogs/tibor_karaszi/archive/2007/08/23/xp-cmdshell-and-permissions.aspx


EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT

 
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:Fraser_Admin
ID: 21759657
GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO xp_cmdshell_user
execute as login = 'MyDomain\testuser'
use myDatabase
exec process_Lab_Load
revert

I get error:
Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

Yes the MyDomain\TestUser has permissions to execute the sp.  xp_cmdshell_user is sysadmin and dbo on the database so it as well has permission.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759669
see my comment after that one...I think it is the way to go.
0
 

Author Comment

by:Fraser_Admin
ID: 21759708
OK I was calling my sp from SSMS and doing the impersonate before the actual call, so now i moved the impersonate into the sp and i get this error:

Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759738
you may not need to do the impersonation...did you use the sp_xp_cmdshell_proxy_account procedure?
0
 

Author Comment

by:Fraser_Admin
ID: 21759760
shouldn't need that for a sysadmin user.  i moved the impersonate to the sp and now it seems to work fine.  i forgot to take it out before my call and that was why i was getting that error.

now i get this one:

Ad hoc access to OLE DB provider 'MICROSOFT.JET.OLEDB.4.0' has been denied. You must access this provider through a linked server.

when i run this as me no problem, but as soon as i try to run as test user i get this message.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21759776
thats a whole different question all together...must be something else you're doing in your proc.
0
 
LVL 31

Expert Comment

by:James Murrell
ID: 21759806
did you give permission on the proc?
0
 

Author Comment

by:Fraser_Admin
ID: 21759853
hang on i'll open a new question, as you said it is something different.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question