Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Aug 24 18:24, Martin Wege via Cygwin wrote: > On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin wrote: > > > > Martin Wege via Cygwin writes: > > > How can I find out whether the current Cygwin terminal has > > > Administrator rights? I want to safeguard our admin scripts with a > > > simple test and bail out with an error if someone wants to do admin > > > stuff (say: regtool) without admin privileges. > > > > Windows really doesn't have a defined notion of what is or is not an > > "administrator". Each particular definition will be insufficient or > > invalid in certain contexts. When you're dealing with hardened > > installations (via group policies or otherwise), large windows domains > > and/or server administration you may have to be way more specific than > > just looking at one simple indication. > > > > That said, most commonly the presence of SID S-1-5-32-544 in your user > > token (in Cygwin: gid=544, unless you override it in the group config) > > will be the best simple approximation. Incidentally, this is what tcsh > > is using on Cygwin to define the "superuser" for the purpose of setting > > the prompt with "%#": > > https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212 > > > > For (ba)sh scripts you can parse the output from id along the lines of > > > > id -G | grep -q '\<544\>' && echo admin || echo "not admin" > > Is there any guarantee that the UNIX GID of the "administrator" will > always be "544", regardless of locale or Country-specific version of > Windows? https://cygwin.com/pipermail/cygwin/2023-August/254218.html Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Thu, Aug 24, 2023 at 8:52 AM Bill Stewart wrote: On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote: > > > How can I find out whether the current Cygwin terminal has >> > Administrator rights? I want to safeguard our admin scripts with a >> > simple test and bail out with an error if someone wants to do admin >> > stuff (say: regtool) without admin privileges. >> >> >> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 >> > > This answer may be misleading. For example, when I log on using an account > that's a member of Administrators, my account is a member of the group, but > the Administrators group token is not enabled. For example, if I log on as > a member of the Administrators group and open a PowerShell window, I can > run the following, and it will output the local Administrators group (there > will be no output if the account is not a member of Administrators): > > PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID > -eq "S-1-5-32-544" } > > That is, while it is true that the process is a member of the > Administrators group, the group isn't enabled, so the process isn't > actually running with administrative permissions. In Windows-speak we would > say the process isn't "elevated" ("elevated" = "running with administrative > permissions"). In other words, logging on as a member of Administrators > doesn't mean that processes you start are elevated. > > IME, what is normally being asked for is whether the current process is > elevated (i.e., the group is both present and enabled). The usual Windows > API way to check this is the CheckTokenMembership() function: > > > https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership > > In that reference: "The CheckTokenMembership function simplifies the > process of determining whether a SID is both present and enabled in an > access token." > > As an example, I wrote a little Windows program called 'elevate' that has > a '-t' option to test whether the current process is elevated: > > https://github.com/Bill-Stewart/elevate > To elaborate on the above, the cygwin 'id -G' command looks like it takes this into account and only outputs enabled group IDs. I should have checked this before I responded, of course. In other words, 'id -G' outputs a 544 in its list if the current process is elevated ("run as administrator"). The 544 won't be in there if the process is not elevated. I just tested from an elevated PowerShell console: PS C:\Windows\System32> ((id -G) -split ' ') -contains '544' True Sorry for any confusion. Bill -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin wrote: > > Martin Wege via Cygwin writes: > > How can I find out whether the current Cygwin terminal has > > Administrator rights? I want to safeguard our admin scripts with a > > simple test and bail out with an error if someone wants to do admin > > stuff (say: regtool) without admin privileges. > > Windows really doesn't have a defined notion of what is or is not an > "administrator". Each particular definition will be insufficient or > invalid in certain contexts. When you're dealing with hardened > installations (via group policies or otherwise), large windows domains > and/or server administration you may have to be way more specific than > just looking at one simple indication. > > That said, most commonly the presence of SID S-1-5-32-544 in your user > token (in Cygwin: gid=544, unless you override it in the group config) > will be the best simple approximation. Incidentally, this is what tcsh > is using on Cygwin to define the "superuser" for the purpose of setting > the prompt with "%#": > https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212 > > For (ba)sh scripts you can parse the output from id along the lines of > > id -G | grep -q '\<544\>' && echo admin || echo "not admin" Is there any guarantee that the UNIX GID of the "administrator" will always be "544", regardless of locale or Country-specific version of Windows? Also, this might be something for a Cygwin ADMINISTRATOR FAQ, if there is such a thing. Thanks, Martin -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote: > How can I find out whether the current Cygwin terminal has > > Administrator rights? I want to safeguard our admin scripts with a > > simple test and bail out with an error if someone wants to do admin > > stuff (say: regtool) without admin privileges. > > > https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 > This answer may be misleading. For example, when I log on using an account that's a member of Administrators, my account is a member of the group, but the Administrators group token is not enabled. For example, if I log on as a member of the Administrators group and open a PowerShell window, I can run the following, and it will output the local Administrators group (there will be no output if the account is not a member of Administrators): PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID -eq "S-1-5-32-544" } That is, while it is true that the process is a member of the Administrators group, the group isn't enabled, so the process isn't actually running with administrative permissions. In Windows-speak we would say the process isn't "elevated" ("elevated" = "running with administrative permissions"). In other words, logging on as a member of Administrators doesn't mean that processes you start are elevated. IME, what is normally being asked for is whether the current process is elevated (i.e., the group is both present and enabled). The usual Windows API way to check this is the CheckTokenMembership() function: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership In that reference: "The CheckTokenMembership function simplifies the process of determining whether a SID is both present and enabled in an access token." As an example, I wrote a little Windows program called 'elevate' that has a '-t' option to test whether the current process is elevated: https://github.com/Bill-Stewart/elevate Hope this helps clarify. Bill -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
> Hello, > > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Sat, Aug 19, 2023 at 2:15 AM ASSI wrote: Windows really doesn't have a defined notion of what is or is not an > "administrator". Each particular definition will be insufficient or > invalid in certain contexts. > There is a definition of administrator in Windows: Your account is a member, either directly or indirectly, of the Administrators group (SID 1-5-32-544). With the introduction of User Account Control (UAC) in Windows Vista, if you log on as a member of this group, processes are normally started with the Administrators group disabled (i.e, the process is not running as a member of Administrators). The "run as administrator" action starts a process with the group enabled. This is commonly referred to as "elevation." [Side note: As I understand it, one of the reasons UAC was introduced was made was to break (some?) software developers' habits of assuming their programs run as administrator, and to choose better data storage paths, registry paths, etc. See https://techcommunity.microsoft.com/t5/windows-blog-archive/faq-why-can-8217-t-i-bypass-the-uac-prompt/ba-p/701510 for a nice summary. Also helpful is the current docs on SIDs: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers ] On a domain, the Domain Admins group (which has a relative identifier, or RID, of 512) is by default a member of the Administrators group. The Administrators group is still there (same SID, S-1-5-32-544), and is called a "Domain Local Security Group" (i.e., it's a local group that's shared by all domain controllers.) Hope this helps clarify. Bill -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
Martin Wege via Cygwin writes: > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. Windows really doesn't have a defined notion of what is or is not an "administrator". Each particular definition will be insufficient or invalid in certain contexts. When you're dealing with hardened installations (via group policies or otherwise), large windows domains and/or server administration you may have to be way more specific than just looking at one simple indication. That said, most commonly the presence of SID S-1-5-32-544 in your user token (in Cygwin: gid=544, unless you override it in the group config) will be the best simple approximation. Incidentally, this is what tcsh is using on Cygwin to define the "superuser" for the purpose of setting the prompt with "%#": https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212 For (ba)sh scripts you can parse the output from id along the lines of id -G | grep -q '\<544\>' && echo admin || echo "not admin" should be most workable. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf rackAttack V1.04R1: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Thu, Aug 17, 2023 at 8:02 PM Martin Wege via Cygwin wrote: > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. I use this bash function: # isadmin - is shell a regular user or admin user function isadmin() { $(cygpath -u 'C:\Windows\System32\net.exe') session > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "admin" else echo "user"; fi } I imagine any other Windows app that needs admin permissions would work. I use this to change the color of the prompt ($PS1) for the admin user to red. HTH Doug -- Doug Henderson, Calgary, Alberta, Canada - from gmail.com -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
Mark Geisert via Cygwin wrote: Backwoods BC via Cygwin wrote: [...] I don't know if this is the official method, but it works for me: # Shell Options # Elevated privilege windows have $SESSIONNAME set if [ "$SESSIONNAME" == "" ] ;then printf -v adminPmt '[\u2022Admin\u2022] ' else export adminPmt="" fi I see the opposite on my machine. Admin window has empty $SESSIONNAME, non-Admin window has "Console". Feh, I mentally reversed the 'if' clauses. I see the same $SESSIONNAME behavior on my machine. Sorry for the noise. ..mark -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
Backwoods BC via Cygwin wrote: On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin wrote: How can I find out whether the current Cygwin terminal has Administrator rights? I want to safeguard our admin scripts with a simple test and bail out with an error if someone wants to do admin stuff (say: regtool) without admin privileges. Thanks, Martin I don't know if this is the official method, but it works for me: # Shell Options # Elevated privilege windows have $SESSIONNAME set if [ "$SESSIONNAME" == "" ] ;then printf -v adminPmt '[\u2022Admin\u2022] ' else export adminPmt="" fi I see the opposite on my machine. Admin window has empty $SESSIONNAME, non-Admin window has "Console". What I do locally is check the output of the 'id' command. If group 544(Administrators) is present, that's a window with Admin rights. Inside .bashrc I have a simple grep test on the output of 'id' to set PS1 (shell prompt) appropriately. ..mark -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Test for Windows Administrator permissions from Cygwin terminal|script?
On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin wrote: > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. > > Thanks, > Martin I don't know if this is the official method, but it works for me: # Shell Options # Elevated privilege windows have $SESSIONNAME set if [ "$SESSIONNAME" == "" ] ;then printf -v adminPmt '[\u2022Admin\u2022] ' else export adminPmt="" fi -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple