Summary information |
|
---|---|
Default value |
1 |
Valid values |
0, 1, 2 |
Status |
Dynamic |
Display level |
Comprehensive |
Required role |
System administrator |
Configuration group |
Extended Stored Procedure |
xp_cmdshell context sets the security context for the operating system command to be executed using the xp_cmdshell system ESP. The values for the context determines under which account the command runs:
0 – command runs under XP Server’s account.
1 – command runs under user’s account.
2 – command runs under XP Server’s account only if the user has administrator privileges.
Setting xp_cmdshell context to 1 restricts the xp_cmdshell security context to users who have accounts at the operating system level. Its behavior is platform-specific. If xp_cmdshell context is set to 1, to use an xp_cmdshell ESP, an operating system user account must exist for the Adaptive Server user name. For example, an Adaptive Server user named “sa” cannot use xp_cmdshell unless he or she has an operating-system-level user account named “sa”.
On Windows, when xp_cmdshell context is set to 1, xp_cmdshell succeeds only if the user name of the user logging in to Adaptive Server is a valid Windows user name with Windows system administration privileges on the system on which Adaptive Server is running.
On other platforms, when xp_cmdshell context is set to 1, xp_cmdshell succeeds only if Adaptive Server was started by a user with “superuser” privileges at the operating system level. When Adaptive Server gets a request to execute xp_cmdshell, it checks the uid of the user name of the ESP requestor and runs the operating system command with the permissions of that uid.
If xp_cmdshell context is 0, the permissions of the operating system account under which Adaptive Server is running are the permissions used to execute an operating system command from xp_cmdshell. This allows users to execute operating commands that they would not ordinarily be able to execute under the security context of their own operating system accounts.