So I have a bunch of database users who should be able to execute a procedure with a call to xp_cmdshell. They are not windows domain accounts, they are just sql-server logins. I want to do it using a proxy ##xp_cmdshell_proxy_account##
. I am aware of security threats that it may bring. I cannot use 'WITH EXECUTE AS admin' due to our company inner version control and I obviously do not want to grant all of the users rights to execute xp_cmdshell
, that is why my only choice (am I right here?) is using the proxy account.
I have a special windows-domain account for it, to whom I granted xp_cmdshell execution rights. I can successfully execute cmdshell using this account. I created the proxy account using the following command:
EXEC sp_xp_cmdshell_proxy_account [my_domain\special_account],'SuperSecretPassword'
When I try to execute any xp_cmdshell command as a database user with no xp_cmdshell rights an error appears:
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
My question is – can I execute a xp_cmdshell command using an sql server login and I am simply missing something here or is it only possible using a domain account? Is there any other procedure to follow here to make it happen?
If I fail to make the above work I will have to switch some logic to a CLR procedure, but I am determined to make it work.
I am using sql-server 2012. Any help will be appreciated, thanks!
Best Answer
It appears you need to grant access to xp_cmdshell for your sql server login. Once the user has permission to run xp_cmdshell, it will use your proxy account to run it since it is a non-privileged user.
Another alternative would be to use certificates to sign your stored procedures, allowing you to grant additional privileges for users executing that stored procedure.
https://msdn.microsoft.com/en-us/library/bb283630.aspx
The downside of certificates is that the procedure needs to be re-signed every time you make a change to it, which can be a pain.