Change PS1 when run as administrator

Change PS1 when run as administrator

[Warren Young]

I just came up with this recipe to change the default PS1 value to use red for the user@host part of the prompt and to change the $ character to a #:

    if id | grep -qi 'member of administrators group'
    then
        export PS1=$(echo "$PS1" | sed -e 's_32_31_' -e 's_\\\$_#_')
    fi

I’m not certain the string match on the output of id(1) works everywhere.  Is there a better way to check for admin privileges under Cygwin?  You can’t check for UID or EUID == 0, for example, as you’d do on a true POSIX system.

Perhaps something like this should go into the default /etc/profile?
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Andrew Schulman]

> I just came up with this recipe to change the default PS1 value to use red for the user@host part of the prompt and to change the $ character to a #:
> 
>     if id | grep -qi 'member of administrators group'
>     then
>         export PS1=$(echo "$PS1" | sed -e 's_32_31_' -e 's_\\\$_#_')
>     fi
> 
> IÂ’m not certain the string match on the output of id(1) works everywhere.  Is there a better way to check for admin privileges under Cygwin?  You canÂ’t check for UID or EUID == 0, for example, as youÂ’d do on a true POSIX system.

Ha!  Yes, there is:  see
https://cygwin.com/ml/cygwin/2015-02/msg00057.html.  The magic test is

id -G | grep -qE '\<(544|0)\>'

where 544 is the Administrators group, and 0 is the root group in case the
old root group entry is present in /etc/group.

For example:

id -G | grep -qE '\<(544|0)\>' && echo admin || echo user


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]

On Mar 15 12:33, Andrew Schulman wrote:
> > I just came up with this recipe to change the default PS1 value to use red for the user@host part of the prompt and to change the $ character to a #:
> > 
> >     if id | grep -qi 'member of administrators group'
> >     then
> >         export PS1=$(echo "$PS1" | sed -e 's_32_31_' -e 's_\\\$_#_')
> >     fi
> > 
> > I’m not certain the string match on the output of id(1) works everywhere.  Is there a better way to check for admin privileges under Cygwin?  You can’t check for UID or EUID == 0, for example, as you’d do on a true POSIX system.
> 
> Ha!  Yes, there is:  see
> https://cygwin.com/ml/cygwin/2015-02/msg00057.html.  The magic test is
> 
> id -G | grep -qE '\<(544|0)\>'
> 
> where 544 is the Administrators group, and 0 is the root group in case the
> old root group entry is present in /etc/group.
> 
> For example:
> 
> id -G | grep -qE '\<(544|0)\>' && echo admin || echo user

Thou shalt not use the test for gid 0 anymore.  If it works, remove the
entry from /etc/group, or better, remove /etc/group entirely.  This entry
will render wrong and unwanted results when you least expect them.  Such
cruft always does.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Change PS1 when run as administrator

[Andrey Repin]

Greetings, Warren Young!

> I just came up with this recipe to change the default PS1 value to use red
> for the user@host part of the prompt and to change the $ character to a #:

>     if id | grep -qi 'member of administrators group'
>     then
>         export PS1=$(echo "$PS1" | sed -e 's_32_31_' -e 's_\\\$_#_')
>     fi

> I’m not certain the string match on the output of id(1) works everywhere. 
> Is there a better way to check for admin privileges under Cygwin?  You can’t
> check for UID or EUID == 0, for example, as you’d do on a true POSIX system.

> Perhaps something like this should go into the default /etc/profile?

PS1_TAIL="$(
  x="$"
  for group in $(id -G); do 
  {
    test $group -eq 114 && { x="#"; break; }
    test $group -eq 544 && { x="#"; break; }
    test $group -eq 0 && { x="Please remove well-known SID overrides from your /etc/group file#"; break; }
  }
  done
  echo $x
  )"
if [ "$color_prompt" = yes ]; then
    PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\007\]\n$PS1_TAIL '
else
    PS1='\u@\h:\w\007\n$PS1_TAIL '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*|putty*)
    PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
    ;;
*)
    ;;
esac


-- 
With best regards,
Andrey Repin
Tuesday, March 15, 2016 20:23:26

Sorry for my terrible english...

Re: Change PS1 when run as administrator

[Achim Gratz]

Warren Young writes:
> I’m not certain the string match on the output of id(1) works
> everywhere.  Is there a better way to check for admin privileges under
> Cygwin?  You can’t check for UID or EUID == 0, for example, as you’d
> do on a true POSIX system.

{ id -G | grep -Eq '^544$'; } && echo admin || echo nope

> Perhaps something like this should go into the default /etc/profile?

No, since it gets read for all shells, not just interactive ones.  The
only reason the prompt is set at all in /etc/profile on Cygwin is that
there is no init/login process to initialize it.  But you can always
place a script to that effect into /etc/profile.d if you absolutely want
it there anyway.  I think putting these in the ENV file is preferrable.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf microQ V2.22R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 12:37 PM, Achim Gratz <Stromeko@nexgo.de> wrote:
> 
> Warren Young writes:
> 
>> Perhaps something like this should go into the default /etc/profile?
> 
> No, since it gets read for all shells, not just interactive ones.

Not according to the INVOCATION section of bash.1.  It only talks about /etc/profile in the context of login shells.

Proof:

    $ echo 'echo re-sourced /etc/profile' >> /etc/profile
    $ bash
    $ ( ls )

> you can always
> place a script to that effect into /etc/profile.d if you absolutely want
> it there anyway.

I’ve been putting it in .bash_profile, which, like /etc/profile, is only sourced once when an interactive shell is started.

It would just be nice not to have to make this local tweak on every Cygwin installation.

Even if you don’t like my green -> red change, I do think the default PS1 should switch from $ to # when run as admin.

> I think putting these in the ENV file is preferrable.

I don’t know what you mean by that.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 11:23 AM, Andrey Repin <anrdaemon@yandex.ru> wrote:
> 
> PS1_TAIL="$(
>  x="$"
>  for group in $(id -G); do 
>  {
>    test $group -eq 114 && { x="#"; break; }
>    test $group -eq 544 && { x="#"; break; }
>    test $group -eq 0 && { x="Please remove well-known SID overrides from your /etc/group file#"; break; }
>  }
>  done
>  echo $x
>  )"
> if [ "$color_prompt" = yes ]; then
>    PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\007\]\n$PS1_TAIL '
> else
>    PS1='\u@\h:\w\007\n$PS1_TAIL '
> fi
> unset color_prompt force_color_prompt

Here’s a simpler version that’s closer to the stock version in color and style, with the quoting errors fixed:

PS1_COLOR=32
PS1_PCHAR='$'
for group in $(id -G); do
   test $group -eq 114 && { PS1_PCHAR='#'; PS1_COLOR=31; break; }
   test $group -eq 544 && { PS1_PCHAR='#'; PS1_COLOR=31; break; }
   test $group -eq 0   && { PS1_PCHAR='!'; PS1_COLOR=41; break; }
done
PS1='\[\e]0;\w\a\]\n\[\e['$PS1_COLOR'm\]\u@\h '
PS1=$PS1'\[\e[33m\]\w\[\e[0m\]\n'$PS1_PCHAR' '


I’ve split the last line to avoid wrapping.

I’ve gone with the “check engine light” approach to error reporting for the GID=0 case.

If someone wants to apply this to Cygwin’s stock /etc files, it needs to go in /etc/bash.bashrc in Cygwin, not /etc/profile.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Achim Gratz]

Andrey Repin writes:
>     test $group -eq 114 && { x="#"; break; }

Nope, that group membership isn't associated with real administrative
powers.  It just tells you that this is a local account that is normally
in the Administrators group, but you are still in that group when you
drop those privileges.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Thomas Wolff]

Am 15.03.2016 um 18:08 schrieb Corinna Vinschen:
> On Mar 15 12:33, Andrew Schulman wrote:
>>> I just came up with this recipe to change the default PS1 value to use red for the user@host part of the prompt and to change the $ character to a #:
>>>
>>>      if id | grep -qi 'member of administrators group'
>>>      then
>>>          export PS1=$(echo "$PS1" | sed -e 's_32_31_' -e 's_\\\$_#_')
>>>      fi
>>>
>>> IÂ’m not certain the string match on the output of id(1) works everywhere.  Is there a better way to check for admin privileges under Cygwin?  You canÂ’t check for UID or EUID == 0, for example, as youÂ’d do on a true POSIX system.
>> Ha!  Yes, there is:  see
>> https://cygwin.com/ml/cygwin/2015-02/msg00057.html.  The magic test is
>>
>> id -G | grep -qE '\<(544|0)\>'
>>
>> where 544 is the Administrators group, and 0 is the root group in case the
>> old root group entry is present in /etc/group.
>>
>> For example:
>>
>> id -G | grep -qE '\<(544|0)\>' && echo admin || echo user
> Thou shalt not use the test for gid 0 anymore.  If it works, remove the
> entry from /etc/group, or better, remove /etc/group entirely.  This entry
> will render wrong and unwanted results when you least expect them.  Such
> cruft always does.
So id -G | grep -q '\<544\>' I suppose. Is there also a universal 
replacement for
     elif id | grep -e "gid=.*(Power Users)" > /dev/null
?
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 2:17 PM, Achim Gratz <Stromeko@nexgo.de> wrote:
> 
> Andrey Repin writes:
>>    test $group -eq 114 && { x="#"; break; }
> 
> Nope, that group membership isn't associated with real administrative
> powers.

Confirmed, at least on Win10 64-bit without any AD mucking things up.  That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 3:34 PM, Thomas Wolff <towo@towo.net> wrote:
> 
> Is there also a universal replacement for
>    elif id | grep -e "gid=.*(Power Users)" > /dev/null
> ?

Give this a try:

PS1_COLOR=32
PS1_PCHAR='$'
for group in $(id -G); do
   test $group -eq 544 && { PS1_PCHAR='#'; PS1_COLOR=31; break; }
   test $group -eq 547 && { PS1_PCHAR='>'; PS1_COLOR=36; break; }
   test $group -eq 0   && { PS1_PCHAR='!'; PS1_COLOR=41; break; }
done
PS1='\[\e]0;\w\a\]\n\[\e['$PS1_COLOR'm\]\u@\h '
PS1=$PS1'\[\e[33m\]\w\[\e[0m\]\n'$PS1_PCHAR' '

I chose the color and prompt character mnemonically from PowerShell.

The color is actually cyan rather than the true blue of PowerShell because blue-on-black is difficult for me to read.  (Chromatic aberration due to glasses.)

This is untested since the Power Users group seems to have disappeared in Windows 10.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Erik Soderquist]

On Tue, Mar 15, 2016 at 6:19 PM, Warren Young wrote:
> Confirmed, at least on Win10 64-bit without any AD mucking things up.  That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.

Looks like AD may muck things up for those of us stuck with it.  I
have neither 114 nor 544, but do have local admin to this host.

Also, I have 0... how long ago was 0 and/or /etc/group removed?  This
host less than a year old, and cygwin (64 bit) was installed fresh as
one of the first things I did once I had it in my posession...

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 4:40 PM, Erik Soderquist <ErikSoderquist@gmail.com> wrote:
> 
> On Tue, Mar 15, 2016 at 6:19 PM, Warren Young wrote:
>> Confirmed, at least on Win10 64-bit without any AD mucking things up.  That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.
> 
> Looks like AD may muck things up for those of us stuck with it.  I
> have neither 114 nor 544, but do have local admin to this host.
> 
> Also, I have 0... how long ago was 0 and/or /etc/group removed?

1.7.34, with adjustments in .35 and 2.0.0.

You *really* should consider moving /etc/passwd and /etc/group out of the way under 2.0+.

Having done that, does the output of id -G shape up?
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Erik Soderquist]

On Tue, Mar 15, 2016 at 6:43 PM, Warren Young <wyml@etr-usa.com> wrote:
>> Also, I have 0... how long ago was 0 and/or /etc/group removed?
>
> 1.7.34, with adjustments in .35 and 2.0.0.
>
> You *really* should consider moving /etc/passwd and /etc/group out of the way under 2.0+.
>
> Having done that, does the output of id -G shape up?

Yes, I now show 544.  Such is one of the unexpected results Corinna warned of.

However, I do not know where /etc/passwd and /etc/group came from on
this system, unless pre-1.7.34 is still less than a year ago (I highly
doubt it, but have not paid attention to versions here until the past
month or so...)

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 4:48 PM, Erik Soderquist <ErikSoderquist@gmail.com> wrote:
> 
> I do not know where /etc/passwd and /etc/group came from on
> this system, unless pre-1.7.34 is still less than a year ago

Google sez: https://cygwin.com/ml/cygwin-announce/2014-11/msg00019.html

Relevant:   https://cygwin.com/ml/cygwin-announce/2015-02/msg00009.html
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Erik Soderquist]

On Tue, Mar 15, 2016 at 6:53 PM, Warren Young <wyml@etr-usa.com> wrote:
>> I do not know where /etc/passwd and /etc/group came from on
>> this system, unless pre-1.7.34 is still less than a year ago
>
> Google sez: https://cygwin.com/ml/cygwin-announce/2014-11/msg00019.html
>
> Relevant:   https://cygwin.com/ml/cygwin-announce/2015-02/msg00009.html

So over a year now... yeah, no idea, why I had /etc/group at all...

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 5:00 PM, Erik Soderquist <ErikSoderquist@gmail.com> wrote:
> 
> On Tue, Mar 15, 2016 at 6:53 PM, Warren Young <wyml@etr-usa.com> wrote:
>>> I do not know where /etc/passwd and /etc/group came from on
>>> this system, unless pre-1.7.34 is still less than a year ago
>> 
>> Google sez: https://cygwin.com/ml/cygwin-announce/2014-11/msg00019.html
>> 
>> Relevant:   https://cygwin.com/ml/cygwin-announce/2015-02/msg00009.html
> 
> So over a year now... yeah, no idea, why I had /etc/group at all…

You can still re-generate them with the mkpasswd/mkgroup commands, but that’s strongly discouraged.

These files are not removed if present, even when upgrading pre-1.7.34 to 2.0+, so if you copied over a prior install’s /etc contents, they’ll still be there many setup.exe passes later.

Perhaps the mtime on those files will give you a clue.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Erik Soderquist]

On Tue, Mar 15, 2016 at 7:03 PM, Warren Young <wyml@etr-usa.com> wrote:
> You can still re-generate them with the mkpasswd/mkgroup commands, but that’s strongly discouraged.
>
> These files are not removed if present, even when upgrading pre-1.7.34 to 2.0+, so if you copied over a prior install’s /etc contents, they’ll still be there many setup.exe passes later.
>
> Perhaps the mtime on those files will give you a clue.

I've never tried to copy /etc/ anything from one install to another in
cygwin... had too many bad experiences in Linux trying that it is
burned into me to never do bulk copies of configs from old machines to
new machines.

passwd is dated 2015-10-29, group is dated 2014-12-05...

I'm going to have to check corporate purchase logs; I'm fairly certain
that I have not had this machine that long, and I know for certain the
machine was purchased new for me, so no one else had it before me... I
can't imagine Dell preloading cygwin for me, and corporate asset
management explicitly refused to do the load of any "non-standard" app
themselves.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 5:14 PM, Erik Soderquist <ErikSoderquist@gmail.com> wrote:
> 
> I'm fairly certain
> that I have not had this machine that long

The mtimes on those files is as reliable as your system clock, because they’re generated during first install.

Contrast that with files unpacked from tarballs which can be backdated to the date the package maintainer created the package; that isn’t happening in this case.

I suspect the only reason your passwd file is newer than your group file is that you (or some tool) edited it after it was generated, presumably the same day /etc/group was generated.

Time gets away from us all.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Andrey Repin]

Greetings, Warren Young!

> On Mar 15, 2016, at 2:17 PM, Achim Gratz <Stromeko@nexgo.de> wrote:
>> 
>> Andrey Repin writes:
>>>    test $group -eq 114 && { x="#"; break; }
>> 
>> Nope, that group membership isn't associated with real administrative
>> powers.

> Confirmed, at least on Win10 64-bit without any AD mucking things up.  That
> is, I get both 114 and 544 here, so I don’t need the 114 rule at all.

I vaguely recall there was an issue with Microsoft accounts vs. true local accs.
Either way, both indicate that you have local administrator privileges,
doesn't hurt to have both.
Thanks for color suggestion, I'll grab it, if you don't mind.


-- 
With best regards,
Andrey Repin
Wednesday, March 16, 2016 02:11:30

Sorry for my terrible english...

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 5:19 PM, Warren Young <wyml@etr-usa.com> wrote:
> 
> On Mar 15, 2016, at 5:14 PM, Erik Soderquist <ErikSoderquist@gmail.com> wrote:
>> 
>> I'm fairly certain
>> that I have not had this machine that long
> 
> The mtimes on those files is as reliable as your system clock, because they’re generated during first install.

Clarification: they *were* generated during first install in 1.7.33 and earlier.  They aren’t any more.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Warren Young]

On Mar 15, 2016, at 5:13 PM, Andrey Repin <anrdaemon@yandex.ru> wrote:
> 
> I'll grab it, if you don't mind.

That was the idea.  It’s a patch I don’t have to maintain now.  :)

Thank you!
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Erik Soderquist]

On Tue, Mar 15, 2016 at 7:19 PM, Warren Young wrote:
>> I'm fairly certain that I have not had this machine that long
>
> The mtimes on those files is as reliable as your system clock, because they’re generated during first install.

Turns out I was wrong, I've had the machine since 2014-12-04 according
to corporate asset management records... cygwin installed the next day
sounds like me.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Change PS1 when run as administrator

[Brian Inglis]

Warren Young <wyml <at> etr-usa.com> writes:
> On Mar 15, 2016, at 2:17 PM, Achim Gratz <Stromeko <at> nexgo.de> wrote:
>> Andrey Repin writes:
>>>    test $group -eq 114 && { x="#"; break; }
>> Nope, that group membership isn't associated with real administrative
>> powers.
> Confirmed, at least on Win10 64-bit without any AD mucking things up.
> That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.

Opposite for me on Win7 x64 non-domain machine! 
I am always a member of 544(Administrators) group and it is my default
primary group in normal non-admin and elevated admin shells. 

In elevated admin shell, I am also a member of 114(Local account and member
of Administrators group) and 405504(High Mandatory Level) not 401408(Medium
Mandatory Level). 

No idea how this works in domains and with domain accounts, but perhaps
checking for 114 and/or 405504 would be more portable? 

$ uname -srvmo
CYGWIN_NT-6.1 2.4.1(0.293/5/3) 2016-01-24 11:26 x86_64 Cygwin

normal non-admin shell:
$ id
uid=... gid=544(Administrators)
groups=544(Administrators),197121(None),197610(HomeUsers),545(Users),
4(INTERACTIVE),66049(CONSOLE
LOGON),11(Authenticated Users),15(This Organization),113(Local
account),4095(CurrentSession),66048(LOCAL),262154(NTLM
Authentication),401408(Medium Mandatory Level)

elevated admin shell:
$ id
uid=... gid=544(Administrators)
groups=544(Administrators),197121(None),114(Local account and member of
Administrators
group),197610(HomeUsers),545(Users),4(INTERACTIVE),66049(CONSOLE
LOGON),11(Authenticated Users),15(This Organization),113(Local
account),4095(CurrentSession),66048(LOCAL),262154(NTLM
Authentication),405504(High Mandatory Level)

This is also reflected by getent group with no args.

The Windows and Cygwin groups entries are: 
Administrators:S-1-5-32-544:544:
Local account and member of Administrators group:S-1-5-114:114:
Untrusted Mandatory Level:S-1-16-0:393216:
Low Mandatory Level:S-1-16-4096:397312:
Medium Mandatory Level:S-1-16-8192:401408:
High Mandatory Level:S-1-16-12288:405504:
System Mandatory Level:S-1-16-16384:409600:

Re: Change PS1 when run as administrator

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2418 bytes --]

On Mar 23 12:35, Brian Inglis wrote:
> Warren Young <wyml <at> etr-usa.com> writes:
> > On Mar 15, 2016, at 2:17 PM, Achim Gratz <Stromeko <at> nexgo.de> wrote:
> >> Andrey Repin writes:
> >>>    test $group -eq 114 && { x="#"; break; }
> >> Nope, that group membership isn't associated with real administrative
> >> powers.
> > Confirmed, at least on Win10 64-bit without any AD mucking things up.
> > That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.
> 
> Opposite for me on Win7 x64 non-domain machine! 
> I am always a member of 544(Administrators) group and it is my default
> primary group in normal non-admin and elevated admin shells. 
> 
> In elevated admin shell, I am also a member of 114(Local account and member
> of Administrators group) and 405504(High Mandatory Level) not 401408(Medium
> Mandatory Level). 
> 
> No idea how this works in domains and with domain accounts, but perhaps
> checking for 114 and/or 405504 would be more portable? 
> 
> $ uname -srvmo
> CYGWIN_NT-6.1 2.4.1(0.293/5/3) 2016-01-24 11:26 x86_64 Cygwin
> 
> normal non-admin shell:
> $ id
> uid=... gid=544(Administrators)
> groups=544(Administrators),197121(None),197610(HomeUsers),545(Users),
> 4(INTERACTIVE),66049(CONSOLE
> LOGON),11(Authenticated Users),15(This Organization),113(Local
> account),4095(CurrentSession),66048(LOCAL),262154(NTLM
> Authentication),401408(Medium Mandatory Level)

You have either some /etc/passwd, /etc/group settings overshadowing the
default settings, or you used the "desc" method described in
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc
to change your primary group.

Otherwise your primary group is always "None", or the equivalent in your
locale.  The admins group is *never* the primary group, unless you
messed with the settings for Cygwin as outlined above.

If you're member in the Admins group, then the admins group is part of
the non-elevated token, but only as "deny-only" group.  That means, it's
usually not shown in id, unless you made it primary group, in which case
it has to be shown.

You better remove this.  I think I'll fix this function to not allow
primary groups wehich are not enabled in the token.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Change PS1 when run as administrator

[Brian Inglis]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> On Mar 23 12:35, Brian Inglis wrote:
>> Warren Young <wyml <at> etr-usa.com> writes:
>>> Confirmed, at least on Win10 64-bit without any AD mucking things up.
>>> That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.
>> Opposite for me on Win7 x64 non-domain machine! 
>> I am always a member of 544(Administrators) group and it is my default
>> primary group in normal non-admin and elevated admin shells. 
>> In elevated admin shell, I am also a member of 114(Local account and 
>> member of Administrators group) and 405504(High Mandatory Level) not 
>> 401408(Medium Mandatory Level). 

> You have either some /etc/passwd, /etc/group settings overshadowing the
> default settings, or you used the "desc" method described in
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc
> to change your primary group.
> Otherwise your primary group is always "None", or the equivalent in your
> locale.  The admins group is *never* the primary group, unless you
> messed with the settings for Cygwin as outlined above.
> If you're member in the Admins group, then the admins group is part of
> the non-elevated token, but only as "deny-only" group.  That means, it's
> usually not shown in id, unless you made it primary group, in which case
> it has to be shown.
> You better remove this.  I think I'll fix this function to not allow
> primary groups which are not enabled in the token.

net user /comment - thanks, that worked.
Removed comment (in elevated shell) and default became None.
Readded comment with Users and that became the default.
Will leave that there, as seeing None=="local non-domain accounts" bugs me,
and it seems stupid to default anything to local non-domain accounts only.

Is there a better consistent choice of dynamic group having elevated rights
on both local and domain systems than 544 e.g. 114 or 405504 or ?

Re: Change PS1 when run as administrator

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2692 bytes --]

On Mar 23 18:01, Brian Inglis wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > On Mar 23 12:35, Brian Inglis wrote:
> >> Warren Young <wyml <at> etr-usa.com> writes:
> >>> Confirmed, at least on Win10 64-bit without any AD mucking things up.
> >>> That is, I get both 114 and 544 here, so I don’t need the 114 rule at all.
> >> Opposite for me on Win7 x64 non-domain machine! 
> >> I am always a member of 544(Administrators) group and it is my default
> >> primary group in normal non-admin and elevated admin shells. 
> >> In elevated admin shell, I am also a member of 114(Local account and 
> >> member of Administrators group) and 405504(High Mandatory Level) not 
> >> 401408(Medium Mandatory Level). 
> 
> > You have either some /etc/passwd, /etc/group settings overshadowing the
> > default settings, or you used the "desc" method described in
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc
> > to change your primary group.
> > Otherwise your primary group is always "None", or the equivalent in your
> > locale.  The admins group is *never* the primary group, unless you
> > messed with the settings for Cygwin as outlined above.
> > If you're member in the Admins group, then the admins group is part of
> > the non-elevated token, but only as "deny-only" group.  That means, it's
> > usually not shown in id, unless you made it primary group, in which case
> > it has to be shown.
> > You better remove this.  I think I'll fix this function to not allow
> > primary groups which are not enabled in the token.

The latest test release 2.5.0-0.9 now checks if the desired primary
group is enabled in the token.  If it's not enabled, as in the case
of the admins group for non-elevated admin accounts, it refuses to
change the primary group and keeps the default primary group intact.

> net user /comment - thanks, that worked.
> Removed comment (in elevated shell) and default became None.
> Readded comment with Users and that became the default.
> Will leave that there, as seeing None=="local non-domain accounts" bugs me,
> and it seems stupid to default anything to local non-domain accounts only.

> Is there a better consistent choice of dynamic group having elevated rights
> on both local and domain systems than 544 e.g. 114 or 405504 or ?

I don't understand the question.  What counts is group 544,
administrators.  But there's no good reason to make this group your
primary group.  Membership is sufficient.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]