We help IT Professionals succeed at work.

SQL User cannot access file system with functions or queries

I have a user that is trying to run an SQL function that includes:
   
xp_dirtree @directory, 10, 1

Open in new window


in SQLServer 2008.

The function works fine on other accounts that people use but on this users account it doesn't seem to allow their SQL user account to access the file system.

I cannot work out if the access to the file structure is a setting within SSMS on the user account there or if it something within the file permissions on the file server or something within the settings of the users domain account.

The Set-up is SQL Server 2008.
File Server is Windows Server 2012 R2
SQL Server is Windows Server 2008 R2
The User has "Owner" level permission on the database where the function and output tables are stored.
The User has "modify" permissions

Any help would be great.

Kind Regards

Matt
Comment
Watch Question

Daniel_PLDB Expert/Architect
Top Expert 2011

Commented:
This command uses SQL Server service account permissions. Inside SQL Server you grant permissions to this function, however, outside SQL Server its service account gets data for you.
Don't forget it's an undocumented procedure.

Author

Commented:
So is it possible to set this user to be able to run this function?
Whether that be a work around or change to the function to run it through the service account or some settings that need to be changed, we just need this user account to be able to run the function.

Kind regards

Matt
DB Expert/Architect
Top Expert 2011
Commented:
Inside database you have to be a sysadmin to run this procedure. Outside at filesystem level SQL Server service account has to have apropriate permissions.

According to Erland Sommarskog you can wrap it and grant access to other users:
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/be74d21e-8723-4d63-9df0-1cf76cf049e0/running-xpdirtree?forum=sqlsecurity

*You write a stored procedure that calls xp_dirtree
*Then you create a certificate in the master database which you use to sign the wrapper
*Then you create a login from the certificate (this login cannot log in, it's just a holder for permissions)
*Then you add the cert login to sysadmin
*Finally, you grant permission to the user in question
*If you put the procedure in master, you will need to add the user to master

Open in new window


Here is some example of how to wrap xp_dirtree
http://www.patrickkeisler.com/2012/12/how-to-use-xpdirtree-to-list-all-files-par t2.html

Open in new window


Regards,
Daniel

Author

Commented:
Thanks Daniel.

I can start working on this with the links you provided. We have a new starter that doesn't need sysadmin level rights and this work around should allow these functions to continue as normal.

Kind regards

Matt