CommandShellLogin

Question

CommandShellLogin

arooj300

Hall of Fame

Points: 3433
More actions
January 29, 2014 at 8:56 am

#303518

Hi All,
I am new in the SQL SERVER.
Can anyone tell me why we used to give IMPERSONATE grant access for the login CommandShellLogin to the user .
Example:
USE [master]
GO
GRANT IMPERSONATE ON LOGIN::CommandShellLogin TO user
GO

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply

Jeff Moden SSC Guru Points: 1004302 More actions · Answer 1

arooj300 (1/29/2014)
Hi All,
I am new in the SQL SERVER.
Can anyone tell me why we used to give IMPERSONATE grant access for the login CommandShellLogin to the user .
Example:
USE [master]
GO
GRANT IMPERSONATE ON LOGIN::CommandShellLogin TO user
GO

One can only imagine that it's a wayward way of giving privs to a user so that they can run xp_CmdShell directly. That should never ever be done and that's why a lot of people mistakenly call xp_CmdShell a security risk. It's because people have created the risk. Only SA's and certain Stored Prodecures should be allowed to use xp_CmdShell.

--Jeff Moden

RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

Change is inevitable... Change for the better is not.

Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally)

arooj300 Hall of Fame Points: 3433 More actions · Answer 2

Thanks for the reply,

I want to ask ...

for file uploading(ex: excel, csv or word) in database, what should be access required to the user.

thanks

pietlinden SSC Guru Points: 63487 More actions · Answer 3

You could do it inside a stored procedure, and then grant the right to execute said stored procedure to whoever you wanted. You could add EXECUTE AS <user> inside your stored procedure.