Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sp_Blitz] Checks with stored procedures sp_validatelogins, xp_regread, and xp_readerrorlog fail because of permissions #3356

Closed
Montro1981 opened this issue Sep 26, 2023 · 4 comments
Closed

[sp_Blitz] Checks with stored procedures sp_validatelogins, xp_regread, and xp_readerrorlog fail because of permissions #3356

Montro1981 opened this issue Sep 26, 2023 · 4 comments
Assignees
@Montro1981
Labels
bug sp_Blitz
Milestone
2023-10 Release

Comments

@Montro1981
Copy link
Contributor

Version of the script
Version 8.16
VersionDate 2023-08-20

What is the current behavior?
The fn_my_permissions function returns that we can execute the stored procedures sp_validatelogins and xp_regread but when we try to execute them we get errors that we have no permissions.
Also permissions for stored procedure xp_readerrorlog are not checked.

If the current behavior is a bug, please provide the steps to reproduce.
Create a user on the SQL server with VIEW SERVER STATE rights that is not sysadmin.

sp_validatelogins

SELECT [entity_name], [subentity_name], [permission_name]
FROM fn_my_permissions(N'sp_validatelogins', N'OBJECT') AS fmp
WHERE fmp.permission_name = N'EXECUTE';
entity_name subentity_name permission_name
sp_validatelogins EXECUTE 
EXEC sp_validatelogins;
/*
Msg 15247, Level 16, State 1, Procedure sp_validatelogins, Line 6 [Batch Start Line 0]
User does not have permission to perform this action.
*/

xp_regread

SELECT [entity_name], [subentity_name], [permission_name]
FROM fn_my_permissions(N'xp_regread', N'OBJECT') AS fmp
WHERE fmp.permission_name = N'EXECUTE'
entity_name subentity_name permission_name
xp_regread EXECUTE 
EXEC xp_regread @rootkey = N'HKEY_LOCAL_MACHINE', @key = N'', @value_name = N'';
/*
Msg 22001, Level 16, State 1, Line 31
xp_regread() returned error 5, 'Access is denied.'
*/

xp_readerrorlog

SELECT [entity_name], [subentity_name], [permission_name]
FROM fn_my_permissions(N'xp_readerrorlog', N'OBJECT') AS fmp
WHERE fmp.permission_name = N'EXECUTE';
entity_name subentity_name permission_name

All these errors are not fatal and the procedure will continue to run.

What is the expected behavior?
For sp_validatelogins, xp_regread we need to check if we can actually execute the procedures and set the @SkipValidateLogins and @SkipXPRegRead variables accordingly.
For xp_readerrorlog there is no variable (yet) so we need to add an skip variable to the list ,@SkipXPReadErrorLog bit = 0 and set it accordingly and disable check 193 if @SkipXPReadErrorLog = 1
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 fix for sp_validatelogins
e9d98e9
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 xp_regread fix
0b5071c
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 fix for sp_validatelogins. Reworked to handle output
5f337bd
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 fix for xp_regread. Moved temp table out of try catch
3e1b16a
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 fix for xp_readerrorlog
0984827
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 Small change to the temp table creation
5a1dc9d
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 Small change to temp table creation
4be96d4
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 Reworked the flow so no extra temp table is needed
4f4cc3d
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 fix for xp_regread without the extra temp table fr…
6c753e6 
…om the previous commit
Montro1981 added a commit to Montro1981/SQL-Server-First-Responder-Kit that referenced this issue Sep 26, 2023
@Montro1981
BrentOzarULTD#3356 Fix for xp_readerrorlog
fb0d8fd
This was referenced Sep 26, 2023
Merged
Merged
Merged
@Montro1981
Copy link
Contributor Author

Made three separate pull request as the issue required three different solutions.

@erikdarlingdata
Copy link
Contributor

@Montro1981 thanks for doing all this work on the permissions checks. I knew it was going to be a sordid process.

@Montro1981
Copy link
Contributor Author

@erikdarlingdata you're welcome.

BrentOzar added a commit that referenced this issue Oct 10, 2023
@BrentOzar
Merge pull request #3359 from Montro1981/SQL-Server-First-Responder-K…
5540f42 
…it_3356_sp_validatelogins

#3356 Fix for sp_validatelogins
@BrentOzar BrentOzar added this to the 2023-10 Release milestone Oct 10, 2023
@BrentOzar
Copy link
Member

Thanks for the pull request. Looks good, merging into the dev branch, will be in the next release with credit to you in the release notes.

BrentOzar added a commit that referenced this issue Oct 10, 2023
@BrentOzar
Merge pull request #3360 from Montro1981/SQL-Server-First-Responder-K…
11a0dd1 
…it_3356_xp_regread

#3356 Fix for xp_regread
BrentOzar added a commit that referenced this issue Oct 10, 2023
@BrentOzar
Merge pull request #3361 from Montro1981/SQL-Server-First-Responder-K…
7c39562 
…it_3356_xp_readerrorlog

#3356 Fix for xp_readerrorlog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Montro1981 Montro1981

Labels
bug sp_Blitz
Projects
None yet
Milestone
2023-10 Release
Development

No branches or pull requests
3 participants
@BrentOzar @erikdarlingdata @Montro1981