Re: Best Practice - xp_cmdshell question
From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 11/16/04
- Next message: Dan Guzman: "Re: decrypt function in SQL Server 2000"
- Previous message: Sharad: "Administrative tasks"
- In reply to: smaas_at_newsgroups.nospam: "Re: Best Practice - xp_cmdshell question"
- Next in thread: Andrew J. Kelly: "Re: Best Practice - xp_cmdshell question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Nov 2004 07:57:53 -0600
As Mike and Andrew suggested, the best approach is to remove the xp_cmdshell
execute from the trigger and use an alternate method. Of course, this
assumes you can modify 3rd party trigger.
> The table is not owned by dbo - it is owned by an application account, and
> the ownership has to remain, or the application will not function
> properly.
> I'm still looking for an alternative way to write the file without using
> xp_cmdshell...
The ownership chain technique I mentioned will only work for dbo-owned
objects in an sa-owned database. You could create a dbo-owned proc that
executes the needed xp_cmdshell command and execute that instead so that
users need only permissions on the procedure. However, since this will
require changing the trigger anyway, you might as well 'do it right' using a
different technique.
-- Hope this helps. Dan Guzman SQL Server MVP "smaas@newsgroups.nospam" <smaasnewsgroupsnospam@discussions.microsoft.com> wrote in message news:DF0377B7-8DDA-4E19-AEB3-E7D2C9EA10D4@microsoft.com... > Dan, > > The table is not owned by dbo - it is owned by an application account, and > the ownership has to remain, or the application will not function > properly. > I'm still looking for an alternative way to write the file without using > xp_cmdshell... > > "Dan Guzman" wrote: > >> If the table is owned by 'dbo', you can allow the trigger to use >> xp_cmdshell >> without direct user execute permissions by changing your user database >> owner >> to 'sa' (using sp_changedbowner). With SQL 2000 SP3, you'll also need to >> enable the 'db chaining' (a.k.a. cross-database chaining) option un your >> user database. This will provide an unbroken ownership chain between >> your >> trigger and the xp_cmdshell extended stored procedure. >> >> Note that you should enable 'db chaining' in an sa-owned database when >> only >> sysadmin role members have permissions to create dbo-owned objects in >> that >> database. >> >> -- >> Hope this helps. >> >> Dan Guzman >> SQL Server MVP >
- Next message: Dan Guzman: "Re: decrypt function in SQL Server 2000"
- Previous message: Sharad: "Administrative tasks"
- In reply to: smaas_at_newsgroups.nospam: "Re: Best Practice - xp_cmdshell question"
- Next in thread: Andrew J. Kelly: "Re: Best Practice - xp_cmdshell question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
