I want to create a proxy user that will be able to run xp_cmdshell tasks like an administrator user does.
Note: I don't want to give this new user sysadmin permissions!
When I login from administrator, I can create the credentials for the proxy user and when I run select * From sys.credentials I can see the created credential there but when I try to run a simple xp_cmdshell task from the testuser like EXECUTE MASTER ..XP_CMDSHELL 'echo HI'
it gives an error like:
The server principal "testuser" is not able to access the database "master" under the current security context.
From the administrator side I tried:
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GRANT EXECUTE ON xp_cmdshell TO [testuser]
create credential xp_cmdshell_proxy_account with identity = 'test\testuser', secret = 'test123'
When I run all these statements they all give me a successful response but if I try to run the credential like : EXEC sp_xp_cmdshell_proxy_account 'test\testuser','test123';
I get an error saying:
An error occurred during the execution of sp_xp_cmdshell_proxy_account. Possible reasons: the provided account was invalid or the '##xp_cmdshell_proxy_account##' credential could not be created. Error code: 0(null), Error Status: 0.
Can you help me and tell me what I am missing here?
Related
I created a proxy account that xp_cmdshell will run using sp_xp_cmdshell_proxy_account
And I gave one user permission
EXEC sp_xp_cmdshell_proxy_account 'Domain\user1'
If I give another user too
EXEC sp_xp_cmdshell_proxy_account 'Domain\user2'
I saw that only one had permission - the last user - user2
select * From sys.credentials
Does it override the previous user's permission?
sp_xp_cmdshell_proxy_account does not "give user permissions". This stored procedure specifies the OS security context (proxy account) all non-sysadmin role members that execute xp_cmdshell. The SQL Server service account is used when sysadmin role members execute xp_cmdshell
I have a public user and need to exec xp_regread. However I keep getting the error
xp_regread() returned error 5, 'Access is denied.'
even though I granted the exec permission to that user & read permission for the registry key.
USE master
GO
GRANT EXECUTE ON [sys].[xp_regread] TO [domain\user]
GO
Can anyone give me some advise?
I am trying to execute a powershell script from within an AFTER UPDATE SQL TRIGGER. From a component perspective the UPDATE and powershell cmd appear to function properly. However, the TRIGGER script as a whole fails at the point of executing the powershell script.
I recently discovered that to execute xp_cmdshell, it needs a user proxied to a windows account. Makes sense as anything executed outside of the SQL space needs a windows account to do so.
I then proceeded (after some research) to create the proxy user using the steps as follows
/* Enable xp_cmdshell */
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
/* Target DB */
USE master
/* Created a custom user with pwd */
CREATE LOGIN CustomUserX WITH PASSWORD = 'strong_password'
/* Created a user from the login */
CREATE USER CustomUserX FROM LOGIN CustomUserX
/* Granted execute for CustomUserX */
GRANT EXECUTE ON xp_cmdshell TO CustomUserX
/* Created proxy user using local machine account and pwd */
EXEC sp_xp_cmdshell_proxy_account 'LOCALMACHINENAME\WinsAccount','pwd'
/* Execute as login CustomUserX */
EXECUTE AS login = 'CustomUserX'
/* Ran simply listing of contents of drive E:/ */
EXEC xp_cmdshell 'DIR E:\*.*'
REVERT
When I tried to execute the script from with the trigger, the trigger failed with.
SQL Server Database Error: The server principal "CustomUserX" is not able to access the database "AnotherDB1" under the current security context.
I ran exec ex_cmdshell 'echo %username% only to discover the "CustomUserX" account is not listed (only SQL$.., and NULL).
The above proxy scripts were executed for the master table as suggested. Would I need to do the same thing under the db instance ("AnotherDB1") as well?
you need to grant the user to use the database
https://learn.microsoft.com/en-us/sql/t-sql/statements/grant-database-permissions-transact-sql
I am using SQL Server's sp_send_dbmail stored procedure to send mail via the database.
But when I execute that procedure it's shutting down the db mail procedure. I tried to start it again by sysmail_start_sp. But it's again shutting down in 7-8 seconds.
I tried with the code below:
EXEC msdb..sp_send_dbmail #profile_name = 'Test',
#recipients = 'abc#gmail.com',
#subject = 'test mail',
#body_format = 'HTML',
#body = 'test mail',
#from_address = 'xyz#yahoo.com'
When I tried to check the error log I found the below error:
Message:
The read on the database failed. Reason: The error description is
'Whitespace is not allowed at this location.'.Data:
System.Collections.ListDictionaryInternalTargetSite:
Microsoft.SqlServer.Management.SqlIMail.Server.Objects.QueueItem
GetQueueItemFromCommand(System.Data.SqlClient.SqlCommand)HelpLink:
NULLSource: DatabaseMailEngineStackTrace
Information===================
Also when I checked sql email log history I found this error:
Mail not queued. Database Mail is stopped. Use sysmail_start_sp to start Database
Mail.
Whenever you try to send Test mail from Database mail; it throws below error message:
Msg 14641, Level 16, State 1, Procedure sp_send_dbmail, Mail not
queued. Database Mail is stopped. Use sysmail_start_sp to start
Database Mail.
First of all make sure that Service Broker Message Delivery in Databases is enabled by executing the following command in SSMS:
SELECT is_broker_enabled FROM sys.databases WHERE name = 'msdb'
If the result of above query is 0, then activate the service broker.
Activating Service Broker allows messages to be delivered to the database. A Service Broker endpoint must be created to send and receive messages from outside of the instance.
To activate Service Broker in a database use the following command:
USE master ;
GO
ALTER DATABASE DatabaseName SET ENABLE_BROKER ;
GO
If the Service Broker is enabled then confirm whether Database Mail is enabled or not by executing below queries in SQL Server Management Studio:
sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure
GO
If the result set shows run_value as 1 then Database Mail is enabled.
If the Database Mail option is disabled then run the below queries to enable it:
sp_configure 'Database Mail XPs', 1;
GO
RECONFIGURE;
GO
sp_configure 'show advanced', 0;
GO
RECONFIGURE;
GO
Once the Database Mail is enabled then to start Database Mail External Program use the below mentioned query on msdb database:
USE msdb ;
EXEC msdb.dbo.sysmail_start_sp;
To confirm that Database Mail External Program is started, run the query mentioned below :
EXEC msdb.dbo.sysmail_help_status_sp;
If the Database Mail external program is started then check the status of mail queue using below statement:
EXEC msdb.dbo.sysmail_help_queue_sp #queue_type = 'mail';
There are few things to troubleshoot, firstly check to make sure database Mail is enabled by executing the following
SELECT is_broker_enabled FROM sys.databases WHERE name = 'msdb'
If the result of above is 0, activate the service broker by following this guide
If the result of above is 1, then check the status of Database Mail, execute the following statement:
EXECUTE dbo.sysmail_help_status_sp
To start Database Mail in a mail host database, run the following command in the msdb database:
EXECUTE dbo.sysmail_start_sp
In my stored procedure, I send emails with sp_send_email. My stored procedure will be run in different environments; some will have emailing enabled, some won't.
If I run sp_send_email without it being enabled, I (quite rightly) get this error message
SQL Server blocked access to procedure 'dbo.sp_send_dbmail' of component 'Database Mail XPs' because this component is turned off as part of the security configuration for this server.
I want to check whether emailing is enabled first, so I can avoid the error by doing the following:
IF #is_enabled
BEGIN
EXEC sp_send_email ...
END
How do I correctly set #is_enabled?
You can query sys.configurations
IF EXISTS (SELECT *
FROM sys.configurations
WHERE name = 'Database Mail XPs' AND value_in_use = 1)
PRINT 'enabled'
ELSE
PRINT 'no luck'
The downside is that it may not be visible to non-sysadmin users because of "MetaData Visibility"
sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'Database Mail XPs';
GO
The sp_send_mail falls under the 'Database Mail XPs' umbrella. You application may not have the rights to run sp_configure and RECONFIGURE, so in the end you may be better if you simply try to invoke the sp_send_mail and handle the error.
BOL says:
To send Database mail, users must be a user in the msdb database and a member of the DatabaseMailUserRole database role in the msdb database. To add msdb users or groups to this role use SQL Server Management Studio or execute the following statement for the user or role that needs to send Database Mail.
So, you can give to user the appropriate role:
EXEC msdb.dbo.sp_addrolemember #rolename = 'DatabaseMailUserRole'
,#membername = '<user or role name>'; GO