May 20, 2013 at 12:46 pm
Hi all,
I have a s/p which runs bcp and creates a CSV export file. Works fine in development (my rights) but not for any other user. To run bcp, I need to use sp_configure to turn on 'configure advanced options', then xp_cmdshell to run bcp. Both of these options are OFF by default.
SO: I turn on the advanced options, turn on xm_cdmshell, run my code, turn off xp_cmdshell, then turn off advanced options.
It works great for me but other users get permissions errors trying to run the system stored procs. They can run the s/p in my local db, but not the ones that live in master db. I've been playing with GRANT and EXECUTE AS but have no luck yet with either one. Has anyone ever done this?
Thanks!
Here's my [edited] code, a few things left out for clarity:
ALTER PROCEDURE [dbo].[aMyAppCreateUploadCSV]
AS
DECLARE @sqlvarchar(255)
DECLARE @FileNamevarchar(50)
DECLARE @DestFolder varchar(100)
-- Turn on Advanced security options
EXECUTE master.dbo.sp_configure 'show advanced options', 1
RECONFIGURE
-- make sure xp_cmdshell is turned on and reconfigure with new value
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
SELECT @FileName = 'Upload_TEST.csv';
SELECT @DestFolder = '\\myserver\user\UploadFiles\';
SET @sql = 'bcp "exec [MyDB].[dbo].aExtractDataCSV" queryout "' + @destFolder + @fileName + '" -t \, -T -c'
EXECUTE master.dbo.xp_cmdshell @sql
-- turn off xp_cmdshell and reconfigure with new value
EXEC sp_configure 'xp_cmdshell', 0
RECONFIGURE
-- Turn off Advanced security options
EXECUTE master.dbo.sp_configure 'show advanced options', 0
RECONFIGURE
Sigerson
"No pressure, no diamonds." - Thomas Carlyle
May 20, 2013 at 1:07 pm
here's an example of EXECUTE AS with a super user:
now even as a super user, if you are trying to touch network shares or special folders , you might still get permissions problems , depending on the acocunt being used to run the SQL service...that is what has to have file permissions.
GO
--create our super user
CREATE LOGIN [superman] WITH PASSWORD=N'NotARealPassword',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=ON, CHECK_POLICY=ON;
GO
--make our special user a sysadmin
EXEC master..sp_addsrvrolemember @loginame = N'superman', @rolename = N'sysadmin';
GO
--noone will ever login with this, it's used for EXECUTE AS, so disable the login.
ALTER LOGIN [superman] DISABLE;
GO
USE [SandBox];
GO
CREATE USER [superman] FOR LOGIN [superman];
GO
USE [SandBox];
GO
EXEC sp_addrolemember N'db_owner', N'superman';
GO
--now create our procedure that runs under special priviledges instead of as the caller.
--the EXECUTE AS must be a user in the database...not a login
CREATE PROCEDURE TestCmdShell
WITH EXECUTE AS 'superman'
AS
BEGIN
SET NOCOUNT ON
create table #Files (
FName varchar(1000));
insert into #Files (FName)
exec master..xp_cmdshell 'dir c:\*.txt /b';
select * from #Files;
END
GO
EXECUTE AS USER='superman';
DECLARE @Results table(
ID int identity(1,1) NOT NULL,
TheOutput varchar(1000))
insert into @Results (TheOutput)
exec master..xp_cmdshell 'whoami' --nt authority\system for example
insert into @Results (TheOutput)
exec master..xp_cmdshell 'cd %userprofile%' --NULL because nt authority\system is not a user...command fails.
select * from @Results
if the above returns blanks or nt authority\system, then you need to modify the startup account
Lowell
May 20, 2013 at 5:12 pm
Lowell (5/20/2013)
if the above returns blanks or nt authority\system, then you need to modify the startup account
How does the startup account need to be modified because I'm getting the following error...
[font="Courier New"]Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.[/font]
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply