views:

1135

answers:

4

Hello,

I would like to run xp_cmdshell (TSQL procedure) in order to mount a network drive and then access remotes mdb files.

I am administrator on the MS SQL server and I have allowed xp_cmdshell execution accordingly.

However, there is still a problem:

  • When I call xp_cmdshell, the user executing the command is the SQL SysAdmin, i.e. the account who run SQL Server process.

  • I wish xp_cmdshell executes as the account with which I'm connected to SQL server, i.e Administrator

Both of theses account are in administrator group, SQLAdmin group, and are granted to CONTROL SERVER. Both users belong to the same domain. All of this is run on the same machine.

Because of this conflict, I cannot use a network drive because it is mounted for SysAdmin and not for Administrator
I tried to use sp_ xp_ cmdshell_ proxy_ account to specify the account with which I want to run xp_cmdshell, but SysAdmin is still the used account.

Therefore, this code :
select user_name(), suser_name;
exec xp_cmdshell 'echo %username%';

displays :
Administrator Administrator
SysAdmin

Does anybody knows how to impersonate well the xp_cmdshell command ? Is there something to (re)configure?

Thanks for your help.

A: 

Maybe you could try PsExec? Download the file at this URL and copy it in a folder member of the %Path% environment variable.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

exec xp_cmdshell 'psexec -u Administrator -p password net use ...'

This may be a solution, but It implies writing the password in plain text, which is tricky.I'm looking for a pure TSQL way...
Antwan
A: 

You could try "net use" with a username and password inside xp_cmdshell. This establishes the credentials for the connection to the UNC.

However, I'm not sure how long this would persist. If it persists indefinitely (eg until server restart), you could have a start-up stored procedure that does "net use" and ensures it's available for use later.

A subsequent xp_cmdshell (to access the MDB files) would not require the authentication because the credentials are already established within the OS.

gbn
I'm almost ashamed to admit it, but this works. It's terrible from a security point of view, but I have done it out of desperation. BUT - are you opening MDB files directly from a network disk? That would keep me up nights. What I was doing was home-grown log shipping in an environment with no domain (i.e. just file copy operations)
onupdatecascade
+1  A: 

Antwan,

Because you're connecting to SQL as a login in the sysadmin group, xp_cmdshell runs as the service account.

If you connect as a low-privilege login, then it will use the xp_cmdshell_proxy_account instead. So try doing EXECUTE AS LOGIN='lowprivaccount' first, to see if that helps.

Of course, what you're actually asking is not the expected use. Expected use is that the high-privilege accounts can allow xp_cmdshell to use the Service Account, whereas everyone else has to put up with the lower privilege proxy account.

Rob

Rob Farley
So... do you really need to be running this using a security context in the sysadmin server role? Ideally you should only be using the sysadmin role when you need to do sysadmin things.
Rob Farley
A: 

I actually have had to use this method in the past for similar things on network shares, try this...

-- map your drive and make it persistent.

xp_cmdshell"net use t: \\<server>\<share> <password> /user:<username> /persistent:yes"

-- t-sql code making use of the t drive

-- delete the drive mapping xp_cmdshell"net use t: /delete"

you can actually set up a job that executes when sql service starts and make it map this drive so you will always have access to the share as long as sql is running. All you would need to do is setup a sproc that maps the drive and have it do the initial mapping of the drive and make use of sp_procoption (http://msdn.microsoft.com/en-us/library/ms181720.aspx)

tnolan