4,707 questions
You can try
SELECT * FROM sys.dm_os_file_exists('\servername\appfolder\filename.txt');
Extended stored procedure xp_fileexist appears to require sysadmin permissions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 38%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Moloney, Doug
1
Reputation point
xp_fileexist appears to require sysadmin permissions.
If I run this with sysadmin
exec xp_fileexist '\servername\appfolder\filename.txt'
I get File Exist with a 1
However, when sysadmin permissions are removed it returns File Exists with a 0.
Does anyone know of any other way to grant the permission to return the correct result.
Developer technologies | Transact-SQL
SQL Server | Other
14,501 questions
5 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 35%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHU%3C/text%3E%3C/svg%3E)
Hafeez Uddin 296 Reputation points2021-06-03T18:20:45.64+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 10%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
doug.moloney@uchealth.com 6 Reputation points2021-06-03T18:26:01.99+00:00 thanks, that does work, but was looking to figure out permissions for xp_fileexists that does not require sysadmin role.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Tom Phillips 17,771 Reputation points2021-06-03T18:48:12.977+00:00 I highly recommend against using undocumented extended procs or TSQL for file manipulation. They are not intended for user usage.
If you need to something on the file system, I suggest you use SSIS or SQL Agent.
-
Hafeez Uddin 296 Reputation points
2021-06-03T19:14:19.987+00:00 I totally agree with @Tom Phillips .
You can also use CLR procedures. -
Erland Sommarskog 121.9K Reputation points MVP Volunteer Moderator2021-06-03T21:42:23.933+00:00 I would agree with Hafeez that using sys.dm_os_file_exists is a better choice, since it is easier to use programmatically. But it is equally undocumented as xp_fileexists.
Nevertheless, there is a solution. Put the operation you want to conduct in a stored procedure, probably including at least the part of the folder to where the user can look for a file. That is, the user should not be able to interrogate the entire server.
Next you create a certificate and sign the procedure with the certificate. Then you create a login from the certificate and make that login member of sysadmin. That "login" is not a real login that can log in, it exists only to connect certificate and permission.
I discuss this technique in a lot more detail in the article (Packaging Permissions in Stored Procedures](https://www.sommarskog.se/grantperm.html) on my web site.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 92%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECR%3C/text%3E%3C/svg%3E)
Chris Rokusek 0 Reputation points2023-04-15T23:43:41.0933333+00:00 After discovering the same issue we used a mock bulk insert on the file. The login is required to be a member of the bulkadmin server role which is better than sysadmin (and it is perform a bulk admin anyway):
GO SET ANSI_NULLS ON; GO SET QUOTED_IDENTIFIER ON; GO ALTER procedure [Common].[usp_FileExists] ( @pPathName nvarchar(300), @poExists bit out, @pDebug bit = 0 ) with execute as 'LoginThatIsInBulkAdminRole' as /*--------------------------------------------------------------------------------------------------------------------- Purpose: Return true if the file exists. Alternative to the xp_fileexists which may requires special permissions for most users. Modified By Description ---------- -------------- --------------------------------------------------------------------------------------- 2020.04.08 crokusek Initial version from udf_FileExists with added bulk insert test as a backup ---------------------------------------------------------------------------------------------------------------------*/ begin try declare @fileExists int; exec xp_fileexist @pPathName, @fileExists output; set @poExists = iif(coalesce(@fileExists, 0) = 1, 1, 0); if (@poExists = 1) return; -- else retest using a bulk insert as the above returns false negatives on -- network drives that aren't physically the local machine and missing instance permission. begin try declare @sql varchar(1000) = ' declare @a bit = ( select 1 from openrowset(bulk ''' + @pPathName + ''', single_blob) f ); '; execute (@sql) set @poExists = 1; -- assume if no error that it worked end try begin catch declare @errorMessage nvarchar(max) = error_message(); if (@pDebug = 1) print 'Caught bulk test error: ' + @errorMessage; set @poExists = 0; end catch return @poExists; end try begin catch declare @CatchingUsp varchar(100) = object_name(@@procid); if (xact_state() = -1) rollback; /* Adjust as needed exec Common.usp_Log @pMethod = @CatchingUsp; exec Common.usp_RethrowError @pCatchingMethod = @CatchingUsp;*/ end catch GO-
Erland Sommarskog 121.9K Reputation points MVP Volunteer Moderator
2023-04-16T08:53:20.7533333+00:00 with execute as 'LoginThatIsInBulkAdminRole'
While you call it a login, you are still impersonating a database user. And when you impersonate a database user, your impersonation is not trusted outside the database. So this means that the above will not work, because all server-level permissions are gone.
...unless the database is set a TRUSTWORTHY and the database owner has been granted the permission AUTHENTICATE SERVER. But this is a security risk. With this setting, a user in the database who is in the db_owner role (or more precisely has permission to create and impersonate users) can easily elevate to sysadmin. Of course, if you don't have any such users that are not already in the sysadmin role, there is no risk. But who knows, maybe you take in a consultant to do performance tuning that you add to db_owner. A more secure way is to use certificate signing. You sign the procedure with a certificate and then you create a login from that certificate that you add to bulkadmin. Yes, this is more steps, but it can easily be automate it. See my article Packaging Permissions in Stored Procedures.
Sign in to comment -