tags:

views:

1135

answers:

4
+4  Q: 

Execute xp_cmdshell command as specific user

Hello,

I would like to run xp_cmdshell (TSQL procedure) in order to mount a network drive and then access remotes mdb files.

I am administrator on the MS SQL server and I have allowed xp_cmdshell execution accordingly.

However, there is still a problem:

  • When I call xp_cmdshell, the user executing the command is the SQL SysAdmin, i.e. the account who run SQL Server process.

  • I wish xp_cmdshell executes as the account with which I'm connected to SQL server, i.e Administrator

Both of theses account are in administrator group, SQLAdmin group, and are granted to CONTROL SERVER. Both users belong to the same domain. All of this is run on the same machine.

Because of this conflict, I cannot use a network drive because it is mounted for SysAdmin and not for Administrator
I tried to use sp_ xp_ cmdshell_ proxy_ account to specify the account with which I want to run xp_cmdshell, but SysAdmin is still the used account.

Therefore, this code :
select user_name(), suser_name;
exec xp_cmdshell 'echo %username%';

displays :
Administrator Administrator
SysAdmin

Does anybody knows how to impersonate well the xp_cmdshell command ? Is there something to (re)configure?

Thanks for your help.

A: 

Maybe you could try PsExec? Download the file at this URL and copy it in a folder member of the %Path% environment variable.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

exec xp_cmdshell 'psexec -u Administrator -p password net use ...'

 2009-07-07 20:02:57
This may be a solution, but It implies writing the password in plain text, which is tricky.I'm looking for a pure TSQL way...
Antwan  2009-07-08 08:15:27
A: 

You could try "net use" with a username and password inside xp_cmdshell. This establishes the credentials for the connection to the UNC.

However, I'm not sure how long this would persist. If it persists indefinitely (eg until server restart), you could have a start-up stored procedure that does "net use" and ensures it's available for use later.

A subsequent xp_cmdshell (to access the MDB files) would not require the authentication because the credentials are already established within the OS.

gbn  2009-07-12 14:01:52
I'm almost ashamed to admit it, but this works. It's terrible from a security point of view, but I have done it out of desperation. BUT - are you opening MDB files directly from a network disk? That would keep me up nights. What I was doing was home-grown log shipping in an environment with no domain (i.e. just file copy operations)
onupdatecascade  2009-07-23 02:08:34
+1  A: 

Antwan,

Because you're connecting to SQL as a login in the sysadmin group, xp_cmdshell runs as the service account.

If you connect as a low-privilege login, then it will use the xp_cmdshell_proxy_account instead. So try doing EXECUTE AS LOGIN='lowprivaccount' first, to see if that helps.

Of course, what you're actually asking is not the expected use. Expected use is that the high-privilege accounts can allow xp_cmdshell to use the Service Account, whereas everyone else has to put up with the lower privilege proxy account.

Rob

Rob Farley  2009-07-27 03:57:33
So... do you really need to be running this using a security context in the sysadmin server role? Ideally you should only be using the sysadmin role when you need to do sysadmin things.
Rob Farley  2009-08-07 01:30:04
A: 

I actually have had to use this method in the past for similar things on network shares, try this...

-- map your drive and make it persistent.

xp_cmdshell"net use t: \\<server>\<share> <password> /user:<username> /persistent:yes"

-- t-sql code making use of the t drive

-- delete the drive mapping xp_cmdshell"net use t: /delete"

you can actually set up a job that executes when sql service starts and make it map this drive so you will always have access to the share as long as sql is running. All you would need to do is setup a sproc that maps the drive and have it do the initial mapping of the drive and make use of sp_procoption (http://msdn.microsoft.com/en-us/library/ms181720.aspx)

tnolan  2009-08-03 18:37:27

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?