Grant EXECUTE to user on XP_CMDSHELL

Test

For my example code (which follows), the first thing you need to do is to setup a Windows user called "TestDummy" with just normal user privs.  You also need to setup a user called SqlCmdUser and give it privs to whatever drives you want someone with the ability to run xp_CmdShell to be able to see.

Now, I create a test database in the following code.  Everywhere it says "yourdomainname", you'll need to replace with the domain name of your Windows server.

You need to be REAL careful with this code.  This is code I did a demo with to prove that xp_CmdShell could actually be used safely and I wanted to make it easy to rerun.  If you don't review the DROPs in this code before you run it, you're crazy.

You must also have enabled xp_CmdShell before you do any of this.  You can do that with the following code which comes straight out of Books Online.

WARNING!!! THIS CODE TURNS ON XP_CMDSHELL.  HAVING IT TURNED OFF WON'T ACTUALLY HELP YOU IF YOU HAVE ANY PUBLIC FACING OR UNTRUSTWORTHY INTERIOR USERS THAT HAVE "SA" PRIVS!!!  INSTEAD OF MESSING AROUND WITH THIS CODE, YOU SHOULD BE FIXING YOUR SECURITY, INSTEAD!!!

1. -- To allow advanced options to be changed.
   
2. EXEC sp_configure 'show advanced options', 1
   
3. GO
   
4. -- To update the currently configured value for advanced options.
   
5. RECONFIGURE
   
6. GO
   
7. -- To enable the feature.
   
8. EXEC sp_configure 'xp_cmdshell', 1
   
9. GO
   
10. -- To update the currently configured value for this feature.
    
11. RECONFIGURE
    
12. GO
    

复制代码

Here's my code.  It does everything else.  Again, REVIEW THE DROPs before you run it.  Replace "yourdomainname" with the domain name of your, well, your domain.

The code does a bunch of one-time setup to build the correct users.  There's some display code in there to show that the only privs the TestDummy user has is "PUBLIC" with EXECUTE privs on a sample stored proc that does a simple "DIR" command.  You can, of course, to change the stored procedure to take a full DOS command but I still recommend that you limit the user to just those things the (s)he needs to do.

The code also does a demonstration that shows that it can execute the stored procedure that contains a call to xp_CmdShell but can't execute xp_CmdShell itself.  As usual, for more information, see the comments in the code and Books Online.

1. --===== Make sure none of the test objects I use exist ahead of time so that we can see that this all actually works
   
2. SELECT '****************************** Making sure the things we need don''t already exist. ******************************';
   
3.     USE MASTER;
   
4.    DROP DATABASE MyTester;                 --BE REAL CAREFUL HERE!!! Drops the database I tested against
   
5.    EXEC sp_xp_cmdshell_proxy_account NULL; --Drops the cmd shell proxy just to be sure.
   
6.    DROP USER  [yourdomainname\TestDummy];  --Drops the login I used for my Windows TestDummy user just to be sure one doesn't exist.
   
7.    DROP LOGIN [yourdomainname\TestDummy];  --Drops the login I used for my Windows TestDummy user just to be sure one doesn't exist.
   
8.    DROP USER  [yourdomainname\SqlCmdUser]; --Drops the login I used for my Windows SqlCmdUser user just to be sure one doesn't exist.
   
9.    DROP LOGIN [yourdomainname\SqlCmdUser]; --Drops the login I used for my Windows SqlCmdUser user just to be sure one doesn't exist.
   
10. GO
    
11. -----------------------------------------------------------------------------------------------------------------------
    
12. --===== Recreate my test database and the user which only has "public" privs.
    
13.      -- I believe the DEFAULT_SCHEMA is important here.
    
14. SELECT '****************************** Creating [MyTester] DB and TestDummy. ******************************';
    
15. CREATE DATABASE [MyTester];
    
16. GO
    
17.     USE [MyTester];
    
18. CREATE LOGIN [yourdomainname\TestDummy] FROM WINDOWS WITH DEFAULT_DATABASE=[MyTester], DEFAULT_LANGUAGE=[us_english];
    
19. CREATE USER [yourdomainname\TestDummy] FOR LOGIN [yourdomainname\TestDummy] --This just maps the database for the user
    
20. GO
    
21. --===== This just displays how limited the TestDummy user is
    
22.    EXEC sp_helpuser [yourdomainname\TestDummy];
    
23. GO
    
24. -----------------------------------------------------------------------------------------------------------------------
    
25. --===== Now we build the Login and proxy account using the SqlCmdUser I built in Windows on my box at home.
    
26.      -- IMPORTANT!!! A step we cannot skip is that we have to build a user from the SqlCmdUser login.
    
27.      -- NOTE THAT THIS MUST BE A SINGLE USER AND NOT A WINDOWS GROUP!
    
28. SELECT '****************************** Building/Granting Proxy user stuff. ******************************';
    
29.     USE [master];
    
30. CREATE LOGIN [yourdomainname\SqlCmdUser] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english];
    
31. CREATE USER [yourdomainname\SqlCmdUser] FOR LOGIN [yourdomainname\SqlCmdUser] WITH DEFAULT_SCHEMA=[dbo];
    
32.    EXEC sp_xp_cmdshell_proxy_account 'yourdomainname\SqlCmdUser','SqlCmdUser';
    
33. 
    
34. --===== Very important here... we have to grant access to xp_CmdShell to the new Window's user...
    
35.   GRANT EXECUTE ON xp_CmdShell to [yourdomainname\SqlCmdUser];
    
36. GO
    
37. --===== This just displays how limited even the SqlCmdUser is!!!!
    
38.    EXEC sp_helpuser [yourdomainname\SqlCmdUser];
    
39. GO
    
40. -----------------------------------------------------------------------------------------------------------------------
    
41. -- ********** NOTE THAT EVERYTHING ABOVE IS AS WE HAD IT BEFORE! **********
    
42. -- ********** NOTE THAT THE ONLY THING WE HAVE TO DO IN THE STORED PROCS (SEE BELOW
    
43. -- ********** IS TO INCLUDE "WITH EXECUTE AS OWNER"
    
44. -- heh... And Bob's your Uncle!
    
45. -----------------------------------------------------------------------------------------------------------------------
    
46. --===== Create a stored procedure in the new "MyTester" database that uses xp_CmdShell.
    
47.      -- Keep in mind that, right now, we're signed in as a member of "dbo".
    
48.     USE [MyTester];
    
49. GO
    
50. DROP PROCEDURE dbo.GetDirInfo;
    
51. GO
    
52. CREATE PROCEDURE dbo.GetDirInfo
    
53.    WITH EXECUTE AS OWNER
    
54.      AS
    
55.    EXEC xp_cmdshell 'DIR C:\';
    
56. SELECT ORIGINAL_LOGIN(), SUSER_NAME(), SUSER_SNAME(), USER_NAME(), SYSTEM_USER, SESSION_USER, CURRENT_USER, USER;
    
57. ;
    
58. GO
    
59. --===== Give the general puplic privs to run the sproc.
    
60.   GRANT EXECUTE ON dbo.GetDirInfo TO PUBLIC
    
61. ;
    
62. GO
    
63. -----------------------------------------------------------------------------------------------------------------------
    
64. --===== Now, show that the "TestDummy" user can execute the proc but not xp_cmdshell itself.
    
65.      -- Simulate logging in as a user with low privs...
    
66. EXECUTE AS LOGIN = 'yourdomainname\TestDummy'
    
67. 
    
68. SELECT ORIGINAL_LOGIN(), SUSER_NAME(), SUSER_SNAME(), USER_NAME(), SYSTEM_USER, SESSION_USER, CURRENT_USER, USER;
    
69.      -- This works... (which is what we want)
    
70.   PRINT REPLICATE('=',80);
    
71.   PRINT '********** Testing execution of dbo.GetDirInfo **********'
    
72.    EXEC dbo.GetDirInfo
    
73. SELECT ORIGINAL_LOGIN(), SUSER_NAME(), SUSER_SNAME(), USER_NAME(), SYSTEM_USER, SESSION_USER, CURRENT_USER, USER;
    
74.      -- This doesn't... (which is also what we want)
    
75.   PRINT REPLICATE('=',80);
    
76.   PRINT '********** Testing execution of xp_CmdShell directly **********'
    
77.    EXEC xp_cmdshell 'DIR C:\'
    
78. ;
    
79. GO
    
80. --===== Test complete... go back to normal.
    
81. REVERT
    
82. ;

复制代码