xp_cmdshell issue

  • Hi All,

    I wonder if anyone can help shed some light on an issue i've run into. I'm attempting to call an executable and pass it the 4 parameters below. When the query runs in SQL query analyser it runs continuously, seemingly without end. I've logged onto the server (Windows Server 2008 - MSSQL 2008) as the Admin in an attempt to rule out any permissions issue.

    When the string from below is run in a DOS-CMD the process runs perfectly in about 8 seconds

    master..xp_cmdshell 'C:\Temp\Temp.exe serverName,databaseName,Source,Output'

    Any help would be greatly appreciated. If you need any more info, please let me know

    My Apologies if this is in the wrong forum.

    Many Thanks

    Chris

  • Chris Hazeldene (6/28/2010)


    I've logged onto the server (Windows Server 2008 - MSSQL 2008) as the Admin in an attempt to rule out any permissions issue.

    xp_cmdShell does not use your security context....it's a permissions issue.

    this is a common security misconception. The problem is that when you access any resource OUTSIDE of SQL server, like network shares, local hard drives,xp_cmdshell,sp_OA type functions etc, it doesn't matter what YOUR credentials are. Whether you are Domain Admin,Local Admin , logged in as sa, administrative login on a laptop, etc, because SQL will not carry those credentials to the "outside of SQL" security context.

    SQL WILL use your credentials for Linked Servers/OPENROWSET/OPENQUERY, but that's pretty much it.

    SQL Server uses the account it starts with to try and access the resource:

    That account is often an account which has never logged into the domain, and was never assigned permissions to get to the local disk or network share.

    As a result, you usually need to create a domain account in Active Directory, specifically grant it share access if it doesn't inherit it from Domain\Users or Domain\AuthenticatedUsers and change the account SQL Server starts with to that account.

    Once that is done, and you stop and start the SQL service to make it use that account instead of old running values, your linked server/xp_cmdshell would work.

    you can prove this is the issue by simply putting in your credentials, with your domain account and password, and confirm the external object you were trying to access/use works when SQL is run your credentials, so you'd know you need a domain account to access the resource.

    run this query to see what context you are really using

    DECLARE @Results table(

    ID int identity(1,1) NOT NULL,

    TheOutput varchar(1000))

    insert into @Results (TheOutput)

    exec master..xp_cmdshell 'whoami' --nt authority\system for example

    insert into @Results (TheOutput)

    exec master..xp_cmdshell 'cd %userprofile%' --NULL because nt authority\system is not a user...command fails.

    select * from @Results

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Thanks for your reply Lowell.

    I ran the SQL that you posted + checked the account details that are used to open SQLServer and both were the Admin account. Unless I misunderstood your post (which is entirely possible) does this mean the suggested solution wouldn't solve the problem?

  • hmm...rereading your issue, you said it is"SQL query analyser it runs continuously, seemingly without end"...

    could your application be raising a pop-up/error message window? so when it is run from QA, maybe with a misspelled parameter or something, it seems to be running forever because the app is waiting for someone to click "OK"?

    you have to be carefull calling apps from the command line, because there's no interaction allowed.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Spot on!

    I really appreciate your time and help with this. Apologies if my lack of knowledge regarding how SQL interacts with external programs is slowed down our progress towards a solution.

    Many thanks

    Chris

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply