June 5, 2009 at 3:56 am
Hi all,
I created developer login and given all rights to developer, but i can't able to exec Xp_cmdshell under developer login. How I should give permission for this.
Thanks.
Ravi
June 5, 2009 at 4:30 am
You can give permissions as you would on a normal SP, IE use GRANT EXECUTE (look up http://msdn.microsoft.com/en-us/library/aa260689(SQL.80).aspx).
xp_cmdshell is a touchy subject. You do need to be very careful when granting permission to this procedure. I've used it in the past to access a third-party's server proving a point their server was not secure. I could easily have copied a backup of Master, restored it to my server and cracked their SQL passwords. I also could have accessed and cracked the passwords in their SAM.
Providing non-admins the ability to execute xp_cmdshell is possible, but requires the following steps.
(1) Turn off the SQL Agent option restricting CmdExec/ActiveX scripting job to members of sysadmin
(2) Define a Proxy account
(3) Grant access to master for those users you wish to provide the ability to execute xp_cmdshell
(4) Grant EXECUTE permission on xp_cmdshell to those logins.
One item to keep in mind is the Agent setting will allow CmdExec Job steps to be created by non-sysadmins and executed using the Proxy account. Since by default this allows any account to create a Job, you may wish to Deny various permissions in msdb.
Hope this helps,
Also check
http://doc.ddart.net/mssql/sql70/xp_aa-sz.htm
Tanx 😀
Viewing 2 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply