Running bash script as SYSTEM from account with admin rights?

Running bash script as SYSTEM from account with admin rights?

[Martin Wege]

Hello,

Does Cygwin have a tool to run a bash script as SYSTEM user if my
account already have admin rights?

Thanks,
Martin

Re: Running bash script as SYSTEM from account with admin rights?

[Christian Franke]

Martin Wege via Cygwin wrote:
> Hello,
>
> Does Cygwin have a tool to run a bash script as SYSTEM user if my
> account already have admin rights?

No (AFAIK).

I use psexec from Sysinternals tools 
(https://learn.microsoft.com/sysinternals/downloads/psexec)

This starts a Cygwin terminal as SYSTEM user:

psexec -s -i c:\cygwin\bin\mintty -

-- 
Regards,
Christian

Re: Running bash script as SYSTEM from account with admin rights?

[Martin Wege]

On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
<cygwin@cygwin.com> wrote:
>
> Martin Wege via Cygwin wrote:
> > Hello,
> >
> > Does Cygwin have a tool to run a bash script as SYSTEM user if my
> > account already have admin rights?
>
> No (AFAIK).
>
> I use psexec from Sysinternals tools
> (https://learn.microsoft.com/sysinternals/downloads/psexec)
>
> This starts a Cygwin terminal as SYSTEM user:
>
> psexec -s -i c:\cygwin\bin\mintty -

Use of psexec is forbidden, as it triggers our security software (Cortex XDR).

Windows has https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
Can we use that to write a C wrapper program, to switch from current
user with admin rights to the SYSTEM account, execute command and then
exit(0) the wrapper?

Thanks,
Martin

Re: Running bash script as SYSTEM from account with admin rights?

[Christian Franke]

Martin Wege via Cygwin wrote:
> On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
> <cygwin@cygwin.com> wrote:
>> Martin Wege via Cygwin wrote:
>>> Hello,
>>>
>>> Does Cygwin have a tool to run a bash script as SYSTEM user if my
>>> account already have admin rights?
>> No (AFAIK).
>>
>> I use psexec from Sysinternals tools
>> (https://learn.microsoft.com/sysinternals/downloads/psexec)
>>
>> This starts a Cygwin terminal as SYSTEM user:
>>
>> psexec -s -i c:\cygwin\bin\mintty -
> Use of psexec is forbidden, as it triggers our security software (Cortex XDR).

Then it is possibly not recommended to do anything special that psexec 
could do, except if there exists an explicit permission :-)


> Windows has https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
> Can we use that to write a C wrapper program, to switch from current
> user with admin rights to the SYSTEM account, execute command and then
> exit(0) the wrapper?

Function from this API are also used by the setuid() emulation of Cygwin 
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). 
User switching relies on an access token returned by LogonUser() or 
similar. This requires a password or other credential which is (AFAIK) 
never available for the SYSTEM user.

Windows services are run as SYSTEM by default. Running the script with 
bash installed as a service (via cygrunsrv) may do the trick.

-- 
Regards,
Christian

Re: Running bash script as SYSTEM from account with admin rights?

[Brian Inglis]

[-- Attachment #1: Type: text/plain, Size: 2378 bytes --]

On 2023-09-22 06:39, Christian Franke via Cygwin wrote:
> Martin Wege via Cygwin wrote:
>> On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
>> <cygwin@cygwin.com> wrote:
>>> Martin Wege via Cygwin wrote:
>>>> Hello,
>>>>
>>>> Does Cygwin have a tool to run a bash script as SYSTEM user if my
>>>> account already have admin rights?
>>> No (AFAIK).
>>>
>>> I use psexec from Sysinternals tools
>>> (https://learn.microsoft.com/sysinternals/downloads/psexec)
>>>
>>> This starts a Cygwin terminal as SYSTEM user:
>>>
>>> psexec -s -i c:\cygwin\bin\mintty -
>> Use of psexec is forbidden, as it triggers our security software (Cortex XDR).
> 
> Then it is possibly not recommended to do anything special that psexec could do, 
> except if there exists an explicit permission :-)
> 
> 
>> Windows has 
>> https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
>> Can we use that to write a C wrapper program, to switch from current
>> user with admin rights to the SYSTEM account, execute command and then
>> exit(0) the wrapper?
> 
> Function from this API are also used by the setuid() emulation of Cygwin 
> (https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). User 
> switching relies on an access token returned by LogonUser() or similar. This 
> requires a password or other credential which is (AFAIK) never available for the 
> SYSTEM user.
> 
> Windows services are run as SYSTEM by default. Running the script with bash 
> installed as a service (via cygrunsrv) may do the trick.

For elevated automated scripts, such as service startup, shutdown, and cleanup, 
I add privileged jobs as Scheduled Tasks under account SYSTEM, whether logged in 
or not, with highest privileges, command c:\cygwin\bin\dash arguments 
/usr/local/bin/....sh.

For interactive elevated commands (normally Windows commands), such as firewall 
rules for testing network packages like curl, I use an auto-elevate wrapper as 
in the attached script.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

[-- Attachment #2: auto-elevate-admin-script-cmd.txt --]
[-- Type: text/plain, Size: 714 bytes --]

@ECHO on
::%COMSPEC% /C
:: auto-elevate-admin-script.cmd - auto elevate Windows command script with admin rights

SET SHELLEX=javascript^: var shell = new ActiveXObject^('shell.application'^)^; shell.ShellExecute
SET ELEVATE='', 'runas', 1^)^; close^(^)^;
SET WD=%~dp0

:: add non-blank arg 1 to log name
IF ""=="%1" (
    SET LOG=%WD%%~n0.log
) ELSE (
    SET LOG=%WD%%~n0-%1.log
)

:: check or elevate - see https://stackoverflow.com/a/37669661
NET FILE >NUL 2>NUL

IF ERRORLEVEL 1 (
    CD /d %WD%
    mshta "%SHELLEX%('%~nx0', '%*', %ELEVATE%"
    EXIT /b
)

CD /d %WD%

...

:: take ownership and grant user rights to log
IF EXIST %LOG% (
    takeown /f %LOG%
    icacls %LOG% /grant %USERNAME%:F
)

EXIT /b