问题
I'm using xp_cmdshell within a database trigger to launch a exe file.
xp_cmdshell is enabled(it can execute simple cmd command like 'echo'). But when I try to launch the exe through xp_cmdshell, the access is denied.
I am the database administrator. And I can launch the exe through cmd directly. Anyone know why I get denied and how to fix it?
回答1:
Likely insufficient NTFS permissions. Make sure the 'user account' that the SQL Server is running as, has permission (Read+Execute) to the *.EXE (and any dependent files)
回答2:
Use xp_cmdshell to run "whoami", then check effective permissions for the stated user on the exe and any resources it accesses. Odds are that an account like localsystem is being used to run processes via xp_cmdshell.
EXEC xp_cmdshell 'whoami'
回答3:
Not sure, but I believe that the trigger is run by the user running the SQL command that "triggered" the trigger.
Is the user issuing the SQL command a Windows user or a SQL user ? If it's a SQL user, you need to set an "SQL Proxy". The SQL Proxy is used to tell SQL which Windows user will be used to access the file system.
Hope this helps,
Yves
回答4:
I was getting ACCESS DENIED when trying to run BCP and then COPY.
What I found is that xp_cmdshell starts in c:\windows\system32
I modified my CMD file to change to my working folder
L: cd L:\myworkingfolder
This solved my problem, Event though my sqlagent was a local administrator and I had full pathed my copy command.
回答5:
Time to contribute now. I am sysadmin role and worked on getting two public access users to execute xp_cmdshell. I am able to execute xp_cmdshell but not the two users.
I did the following steps:
create new role:
use master CREATE ROLE [CmdShell_Executor] AUTHORIZATION [dbo] GRANT EXEC ON xp_cmdshell TO [CmdShell_Executor]
add users in master database: Security --> Users. Membership checks only [CmdShell_Executor] that is just created
set up proxy account:
EXEC sp_xp_cmdshell_proxy_account 'domain\user1','users1 Windows password' EXEC sp_xp_cmdshell_proxy_account 'domain\user2','users2 Windows password'
Then both users can execute the stored procedure that contains xp_cmdshell invoking a R script run. I let the users to type in the password, execute the one line code, then delete the password. All in my pc.
回答6:
You can also get Access is denied.
when you don't specify path to executable correctly. Note if your path contains spaces, you need to enclose the executable into double quotes:
EXEC xp_cmdshell '"D:\My path\With spaces\runme.exe"'
回答7:
I had the same problem and I solved it like this:
- Open SQL Server Configuration Manager
- Select your instance and right-click -> properties
- Select Log on tab
- And select authorized account
来源:https://stackoverflow.com/questions/10822464/access-denied-for-enabled-xp-cmdshell-for-the-admin-user