Persmissions issue when running Shell command

Riddick

I created a CU to run HotCopy.exe and attached the CU to the Job Queue scheduler. The scheduler kicks in and runs the CU, as expected. But for some reason I see an error message in the Application Events log:

The following information is part of the event: For security reasons, you are not allowed to run the following
executable in the SHELL function when it is passed as a variable:

Executable: echo %USERNAME% >> c:\BACKUP\testrun.log
Parameter:

No matter which file I try to run via SHELL, same message pops up. I am logged in as SUPER user with all the privileges on the DB. Any idea why this error message pops up?

TIA.

karstenrobert

Hi,

have a look at the C/SIDE reference online help for shell:

BEGIN

            // The following is NOT trusted and will give a warning:

            ExecName := 'C:\windows\notepad.exe';

            param := 'C:\MyFile.txt';

            ret := SHELL(ExecName, param);

            // The following IS trusted and will not give a warning:

            param := 'C:\MyFile.txt';

            ret := SHELL(TEXT000, param);

            //The following is not possible - will only give an error

            //message during runtime. This is also if it's a TextConst:

            ExecName := 'C:\windows\notepad.exe C:\MyFile.txt';

            ret := SHELL(ExecName);

          END;

So you should set the shell path to the executable as text constant and only make the parameter a normal string.
ret := SHELL(TEXT000, param);
(But you could also use '%1' in the textconstant and then use STRSUBSTNO (String) and you won't get an error too)

kriki

Maybe it is easier to create a cmd-file with the command in it and schedule it on the server through Windows scheduling.

Riddick

Seems that Shell will only execute properly when a text CONSTANT is used. What's interesting is that I can say Shell('cmd.exe') and it will run just fine. But as soon as I pass it a full path name with a command file, Shell thinks there is a security breach and won't run unless it sees a text constant (with that same path and file name). Strange, but nonetheless true, seems it will only "trust" built in commands and apps.

Shell(TEXT001) works fine.

bylle

When using SHELL with a command like "echo %USERNAME% >> c:\BACKUP\testrun.log" you will always have the security issue. This is due to %USERNAME% and therefore Navision assumes that you are running a "new" program each time.

If for instance it always was "echo SchedulerUSER >> c:\Backup\testrun.log", which your text constant properly is, you will not have this issue. Because it is always the same command - only the first time you have to acknowledge the security issue.

If you would like to use %USERNAME%, then instead of SHELL you can use WshShell (it is a part of the automation "Windows Script Host Object Model"). When using WshShell you will not get any security warnings.

You can ready more about it here: http://techblog.byllemos.com/2008/04/execution-of-batch-jobs-and-other-programs-from-navision/