获得对 xp_cmdshell 的执行权限
[英]Getting execute permission to xp_cmdshell
问题描述
I am seeing an error message when trying to execute xp_cmdshell from within a stored procedure.
尝试从存储过程中执行 xp_cmdshell 时,我看到一条错误消息。
xp_cmdshell is enabled on the instance.实例上启用了 xp_cmdshell。 And the execute permission was granted to my user, but I am still seeing the exception.执行权限已授予我的用户,但我仍然看到异常。
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'对象“xp_cmdshell”、数据库“mssqlsystemresource”、架构“sys”上的 EXECUTE 权限被拒绝
Part of the issue is that this is a shared cluster, and we have a single database on the instance, so we don't have a full range of admin permissions.部分问题是这是一个共享集群,我们在实例上只有一个数据库,所以我们没有完整的管理员权限。 So I can't go in and grant permissions, and what-not.所以我不能进入并授予权限,等等。
6 个解决方案
解决方案1
60 已采纳
For users that are not members of the sysadmin role on the SQL Server instance you need to do the following actions to grant access to the xp_cmdshell extended stored procedure.对于不是 SQL Server 实例上 sysadmin 角色成员的用户,您需要执行以下操作以授予对 xp_cmdshell 扩展存储过程的访问权限。 In addition if you forgot one of the steps I have listed the error that will be thrown.此外,如果您忘记了我列出的步骤之一,则会引发错误。
Enable the xp_cmdshell procedure
启用 xp_cmdshell 程序Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server.
消息 15281,级别 16,状态 1,过程 xp_cmdshell,第 1 行 SQL Server 阻止了对组件“xp_cmdshell”的过程“sys.xp_cmdshell”的访问,因为此组件已作为此服务器的安全配置的一部分关闭。 A system administrator can enable the use of 'xp_cmdshell' by using sp_configure.系统管理员可以使用 sp_configure 启用“xp_cmdshell”。 For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online.*有关启用“xp_cmdshell”的详细信息,请参阅 SQL Server 联机丛书中的“表面区域配置”。*Create a login for the non-sysadmin user that has public access to the master database
为对 master 数据库具有公共访问权限的非 sysadmin 用户创建登录Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1 The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.*
消息 229,级别 14,状态 5,过程 xp_cmdshell,第 1 行 对象“xp_cmdshell”、数据库“mssqlsystemresource”、架构“sys”的 EXECUTE 权限被拒绝。*Grant EXEC permission on the xp_cmdshell stored procedure
授予对 xp_cmdshell 存储过程的 EXEC 权限Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1 The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.*
消息 229,级别 14,状态 5,过程 xp_cmdshell,第 1 行 对象“xp_cmdshell”、数据库“mssqlsystemresource”、架构“sys”的 EXECUTE 权限被拒绝。*Create a proxy account that xp_cmdshell will be run under using sp_xp_cmdshell_proxy_account
使用 sp_xp_cmdshell_proxy_account 创建一个将在其下运行 xp_cmdshell 的代理帐户Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1 The xp_cmdshell proxy account information cannot be retrieved or is invalid.
消息 15153,级别 16,状态 1,过程 xp_cmdshell,第 1 行 xp_cmdshell 代理帐户信息无法检索或无效。 Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.*验证“##xp_cmdshell_proxy_account##”凭据是否存在并包含有效信息。*
It would seem from your error that either step 2 or 3 was missed.从您的错误来看,您似乎错过了第 2 步或第 3 步。 I am not familiar with clusters to know if there is anything particular to that setup.我不熟悉集群,不知道该设置是否有任何特殊之处。
解决方案2
49 2012-11-28 13:12:35
I want to complete the answer from tchester.我想完成 tchester 的回答。
(1) Enable the xp_cmdshell procedure: (1) 启用 xp_cmdshell 程序:
-- To allow advanced options to be changed.
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
-- Enable the xp_cmdshell procedure
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
(2) Create a login 'Domain\\TestUser' (windows user) for the non-sysadmin user that has public access to the master database (2)为拥有master数据库公共访问权限的非sysadmin用户创建登录'Domain\\TestUser'(windows用户)
(3) Grant EXEC permission on the xp_cmdshell stored procedure: (3) 授予对 xp_cmdshell 存储过程的 EXEC 权限:
GRANT EXECUTE ON xp_cmdshell TO [Domain\TestUser]
(4) Create a proxy account that xp_cmdshell will be run under using sp_xp_cmdshell_proxy_account (4) 使用 sp_xp_cmdshell_proxy_account 创建一个将在 xp_cmdshell 下运行的代理帐户
EXEC sp_xp_cmdshell_proxy_account 'Domain\TestUser', 'pwd'
-- Note: pwd means windows password for [Domain\TestUser] account id on the box.
-- Don't include square brackets around Domain\TestUser.
(5) Grant control server permission to user (5) 授予用户控制服务器权限
USE master;
GRANT CONTROL SERVER TO [Domain\TestUser]
GO
解决方案3
1 2012-09-17 17:08:21
tchester said :切斯特 说:
(2) Create a login for the non-sysadmin user that has public access to the master database (2)为拥有master数据库公共访问权限的非sysadmin用户创建登录
I went to my user's database list (server/security/connections/my user name/properties/user mapping, and wanted to check the box for master database. I got an error message telling that the user already exists in the master database. Went to master database, dropped the user, went back to "user mapping" and checked the box for master. Check the "public" box below.我去了我的用户的数据库列表(服务器/安全/连接/我的用户名/属性/用户映射,并想选中 master 数据库框。我收到一条错误消息,告诉用户已存在于 master 数据库中。去了到 master 数据库,删除用户,回到“用户映射”并选中 master 框。选中下面的“public”框。
After that, you need to re-issue the grant execute on xp_cmdshell to "my user name"之后,您需要将在 xp_cmdshell 上执行的授权重新颁发给“我的用户名”
Yves伊夫
解决方案4
0 2018-03-06 20:23:53
To expand on what has been provided for automatically exporting data as csv to a network share via SQL Server Agent.扩展通过 SQL Server 代理将数据作为 csv 自动导出到网络共享所提供的内容。
(1) Enable the xp_cmdshell procedure: (1) 启用 xp_cmdshell 程序:
-- To allow advanced options to be changed.
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
-- Enable the xp_cmdshell procedure
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
(2) Create a login 'Domain\\TestUser' (windows user) for the non-sysadmin user that has public access to the master database. (2)为对master数据库有公共访问权限的非sysadmin用户创建一个登录'Domain\\TestUser'(windows用户)。 Done through user mapping通过用户映射完成
(3) Give log on as batch job: Navigate to Local Security Policy -> Local Policies -> User Rights Assignment. (3) 将登录作为批处理作业:导航到本地安全策略 -> 本地策略 -> 用户权限分配。 Add user to "Log on as a batch job"将用户添加到“作为批处理作业登录”
(4) Give read/write permissions to network folder for domain\\user\u003c/i> (4) 授予域\\用户对网络文件夹的读/写权限
(5) Grant EXEC permission on the xp_cmdshell stored procedure: (5) 授予对 xp_cmdshell 存储过程的 EXEC 权限:
GRANT EXECUTE ON xp_cmdshell TO [Domain\TestUser]
(6) Create a proxy account that xp_cmdshell will be run under using sp_xp_cmdshell_proxy_account (6) 使用 sp_xp_cmdshell_proxy_account 创建一个将在 xp_cmdshell 下运行的代理帐户
EXEC sp_xp_cmdshell_proxy_account 'Domain\TestUser', 'password_for_domain_user'
(7) If the sp_xp_cmdshell_proxy_account command doesn't work, manually create it (7)如果sp_xp_cmdshell_proxy_account命令不起作用,手动创建
create credential ##xp_cmdshell_proxy_account## with identity = 'Domain\DomainUser', secret = 'password'
(8) Enable SQL Server Agent. (8) 启用 SQL Server 代理。 Open SQL Server Configuration Manager, navigate to SQL Server Services, enable SQL Server Agent.打开 SQL Server 配置管理器,导航到 SQL Server 服务,启用 SQL Server 代理。
(9) Create automated job. (9)创建自动化作业。 Open SSMS, select SQL Server Agent, then right-click jobs and click "New Job".打开 SSMS,选择 SQL Server 代理,然后右键单击作业并单击“新建作业”。
(10) Select "Owner" as your created user. (10) 选择“所有者”作为您创建的用户。 Select "Steps", make "type" = T-SQL.选择“步骤”,使“类型”= T-SQL。 Fill out command field similar to below.填写类似于下面的命令字段。 Set delimiter as ','将分隔符设置为 ','
EXEC master..xp_cmdshell 'SQLCMD -q "select * from master" -o file.csv -s ","
(11) Fill out schedules accordingly. (11) 相应地填写时间表。
解决方案5
0 2019-08-23 03:14:50
Time to contribute now.现在是时候做出贡献了。 I am sysadmin role and worked on getting two public access users to execute xp_cmdshell.我是 sysadmin 角色,致力于让两个公共访问用户执行 xp_cmdshell。 I am able to execute xp_cmdshell but not the two users.我可以执行 xp_cmdshell 但不能执行两个用户。
I did the following steps:我做了以下步骤:
create new role:
创建新角色:use master
使用大师
CREATE ROLE [CmdShell_Executor] AUTHORIZATION [dbo]创建角色 [CmdShell_Executor] 授权 [dbo]
GRANT EXEC ON xp_cmdshell TO [CmdShell_Executor]将 xp_cmdshell 上的 EXEC 授予 [CmdShell_Executor]add users in master database: Security --> Users.
在 master 数据库中添加用户:安全 --> 用户。 Membership checks only [CmdShell_Executor] that is just created成员资格只检查刚刚创建的 [CmdShell_Executor]set up proxy account:
设置代理账户:EXEC sp_xp_cmdshell_proxy_account 'domain\\user1','users1 Windows password'
EXEC sp_xp_cmdshell_proxy_account 'domain\\user1','users1 Windows 密码'
EXEC sp_xp_cmdshell_proxy_account 'domain\\user2','users2 Windows password'EXEC sp_xp_cmdshell_proxy_account 'domain\\user2','users2 Windows 密码'
Then both users can execute the stored procedure that contains xp_cmdshell invoking a R script run.然后两个用户都可以执行包含调用 R 脚本运行的 xp_cmdshell 的存储过程。 I let the users come to my PC to type in the password, execute the one line code, then delete the password.我让用户到我的电脑上输入密码,执行一行代码,然后删除密码。
解决方案6
-1 2020-05-02 20:12:21
Don't grant control to the user, it's totally unnecessay.不要将控制权授予用户,这是完全没有必要的。 Select permission on the database is enough.对数据库的选择权限就足够了。 After you have created the login and the user on master (see above answers):在 master 上创建登录名和用户后(请参阅上面的答案):
use YourDatabase
go
create user [YourDomain\YourUser] for login [YourDomain\YourUser] with default_schema=[dbo]
go
alter role [db_datareader] add member [YourDomain\YourUser]
go
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.