xp_cmdshell context

xp_cmdshell context sets the security context for the operating system command to be executed using the xp_cmdshell system ESP.

Summary Information

Default value

1

Valid values

0, 1, 2

Status

Dynamic

Display level

Comprehensive

Required role

System administrator

Configuration group

Extended Stored Procedure

The values for the context determines under which account the command runs:

Setting xp_cmdshell context to 1 restricts the xp_cmdshell security context to users who have accounts at the operating system level. Its behavior is platform-specific. If xp_cmdshell context is set to 1, to use an xp_cmdshell ESP, an operating system user account must exist for the SAP ASE user name. For example, an SAP ASE user named “sa” cannot use xp_cmdshell unless he or she has an operating-system-level user account named “sa”.

Starting XP Server as root automatically sets xp_cmdshell to 1 so secure access is automatically enabled.

On Windows, when xp_cmdshell context is set to 1, xp_cmdshell succeeds only if the user name of the user logging in to SAP ASE is a valid Windows user name with Windows system administration privileges on the system on which SAP ASE is running.

On other platforms, when xp_cmdshell context is set to 1, xp_cmdshell succeeds only if SAP ASE was started by a user with “superuser” privileges at the operating system level. When SAP ASE gets a request to execute xp_cmdshell, it checks the uid of the user name of the ESP requestor and runs the operating system command with the permissions of that uid.

If xp_cmdshell context is 0, the permissions of the operating system account under which SAP ASE is running are the permissions used to execute an operating system command from xp_cmdshell. This allows users to execute operating commands that they would not ordinarily be able to execute under the security context of their own operating system accounts.