Skip to content

Fix User vs Login for granting exec to "xp_cmdshell" #3720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CarlRabeler merged 1 commit into from
Dec 2, 2019
Merged

Fix User vs Login for granting exec to "xp_cmdshell" #3720

CarlRabeler merged 1 commit into from
Dec 2, 2019

Conversation

@srutzky
Copy link
Contributor

@srutzky srutzky commented Dec 1, 2019

This PR fixes #3719 .

These two changes regard Item # 3 under "Permissions" on the "xp_cmdshell" page. That paragraph is currently as follows:

In Management Studio, using the master database, execute the GRANT exec ON xp_cmdshell TO '<somelogin>' statement to give specific non-sysadmin users the ability to execute xp_cmdshell. The specified login must be mapped to a user in the master database.

  1. GRANT statement includes reference to "login" when logins cannot be granted permissions on schema-bound objects.

  2. The final sentence of that paragraph states that the login (being granted the permission) needs to be mapped to a user in the master database. Yes, a user does need to exist in master, but again, this has nothing to do with logins:

    1. The user does not even need to have an associated login (even if that will be the case in 99.99% of cases). { see example 2 }
    2. If the user does have an associated login, the names don't need to be the same, so the focus can't be on login because you have to use the "user" name, not the "login" name. Otherwise, the implication is that as long as the login does have a user mapped in master, then it would work to grant permission to the login (assuming different names between login and user such that this is a meaningful distinction). { see example 1 }

The following example shows:

  1. You can't grant permission to the login.
  2. The login, having a mapped user in master, still can't be granted permission.
  3. The user can be granted the permission.
USE [master];
CREATE LOGIN [Test-Login] WITH PASSWORD = 'oooops', CHECK_POLICY = OFF;


GRANT EXEC ON xp_cmdshell TO [Test-Login];
/*
Msg 15151, Level 16, State 1, Line XXXXX
Cannot find the user 'Test-Login', because it does not exist or you do not have permission.
*/


CREATE USER [Test-User] FOR LOGIN [Test-Login];


GRANT EXEC ON xp_cmdshell TO [Test-Login];
/*
Msg 15151, Level 16, State 1, Line XXXXX
Cannot find the user 'Test-Login', because it does not exist or you do not have permission.
*/


GRANT EXEC ON xp_cmdshell TO [Test-User];
-- Success!!

DROP USER [Test-User];
DROP LOGIN [Test-Login];

The following test shows that a user does not even need to have an associated login in order to be granted permission to use xp_cmdshell:

USE [master];
CREATE USER [SansLogin] WITHOUT LOGIN;
GRANT EXEC ON xp_cmdshell TO [SansLogin];

EXECUTE AS USER = N'SansLogin';
SELECT SUSER_NAME() as [LOGIN], USER_NAME() as [USER];
-- S-1-9-3-346486997-1338563376-2712380339-864934077	SansLogin

EXEC xp_cmdshell N'echo t';
/*
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line YYYY [Batch Start Line XXXXX]
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that
the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
*/

REVERT;
DROP USER [SansLogin];

Take care,
Solomon...
https://SqlQuantumLift.com/
https://SqlQuantumLeap.com/
https://SQLsharp.com/

@srutzky
Fix User vs Login for granting exec to "xp_cmdshell"
1da87bd 
1. `GRANT` statement included reference to "login" when login's cannot be granted permissions on schema-bound objects.

2. The final sentence of that paragraph stated that the login (being granted the permission) needed to be mapped to a user in the `master` database. Yes, a user does need to exist in `master`, but again, this has nothing to do with logins:
    1. The user does not even need to have an associated login (even if that will be the case in 99.99% of cases)
    2. If the user does have an associated login, the names don't need to be the same, so the focus can't be on login because you have to use the "user" name, not the "login" name.

Example code will be in the PR.
@PRMerger17
Copy link
Contributor

PRMerger17 commented Dec 1, 2019

@srutzky : Thanks for your contribution! The author(s) have been notified to review your proposed change.

@ktoliver ktoliver added the aq-pr-triaged tracking label for the PR review team label Dec 2, 2019
@CarlRabeler CarlRabeler merged commit 192e23c into MicrosoftDocs:live Dec 2, 2019
@CarlRabeler
Copy link
Contributor

CarlRabeler commented Dec 2, 2019

@srutzky thanks for this update and excellent commentary

@srutzky
Copy link
Contributor Author

srutzky commented Dec 2, 2019

@CarlRabeler You are quite welcome 😺

@srutzky srutzky deleted the patch-2 branch February 2, 2020 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CarlRabeler CarlRabeler Awaiting requested review from CarlRabeler

Assignees

@CarlRabeler CarlRabeler

Labels

aq-pr-triaged tracking label for the PR review team Change sent to author do-not-merge sql/prod system-objects/tech

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GRANT permission to User, not Login

4 participants

@srutzky @PRMerger17 @CarlRabeler @ktoliver