xp_cmdshell context sets the security context for the operating system command to be executed using the xp_cmdshell system ESP.
|
Summary Information |
|
|---|---|
|
Default value |
1 |
|
Valid values |
0, 1, 2 |
|
Status |
Dynamic |
|
Display level |
Comprehensive |
|
Required role |
System administrator |
|
Configuration group |
Extended Stored Procedure |
0 – command runs under XP Server’s account.
1 – command runs under user’s account.
2 – command runs under XP Server’s account only if the user has administrator privileges.
Setting xp_cmdshell context to 1 restricts the xp_cmdshell security context to users who have accounts at the operating system level. Its behavior is platform-specific. If xp_cmdshell context is set to 1, to use an xp_cmdshell ESP, an operating system user account must exist for the SAP ASE user name. For example, an SAP ASE user named “sa” cannot use xp_cmdshell unless he or she has an operating-system-level user account named “sa”.
Starting XP Server as root automatically sets xp_cmdshell to 1 so secure access is automatically enabled.
On Windows, when xp_cmdshell context is set to 1, xp_cmdshell succeeds only if the user name of the user logging in to SAP ASE is a valid Windows user name with Windows system administration privileges on the system on which SAP ASE is running.
On other platforms, when xp_cmdshell context is set to 1, xp_cmdshell succeeds only if SAP ASE was started by a user with “superuser” privileges at the operating system level. When SAP ASE gets a request to execute xp_cmdshell, it checks the uid of the user name of the ESP requestor and runs the operating system command with the permissions of that uid.
If xp_cmdshell context is 0, the permissions of the operating system account under which SAP ASE is running are the permissions used to execute an operating system command from xp_cmdshell. This allows users to execute operating commands that they would not ordinarily be able to execute under the security context of their own operating system accounts.