* Test for Windows Administrator permissions from Cygwin terminal|script? @ 2023-08-18 2:01 Martin Wege 2023-08-18 2:18 ` Backwoods BC ` (3 more replies) 0 siblings, 4 replies; 12+ messages in thread From: Martin Wege @ 2023-08-18 2:01 UTC (permalink / raw) To: cygwin Hello, How can I find out whether the current Cygwin terminal has Administrator rights? I want to safeguard our admin scripts with a simple test and bail out with an error if someone wants to do admin stuff (say: regtool) without admin privileges. Thanks, Martin ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege @ 2023-08-18 2:18 ` Backwoods BC 2023-08-18 8:49 ` Mark Geisert 2023-08-18 22:00 ` Doug Henderson ` (2 subsequent siblings) 3 siblings, 1 reply; 12+ messages in thread From: Backwoods BC @ 2023-08-18 2:18 UTC (permalink / raw) To: Martin Wege; +Cc: cygwin On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin <cygwin@cygwin.com> wrote: > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. > > Thanks, > Martin I don't know if this is the official method, but it works for me: ##### Shell Options # Elevated privilege windows have $SESSIONNAME set if [ "$SESSIONNAME" == "" ] ;then printf -v adminPmt '[\u2022Admin\u2022] ' else export adminPmt="" fi ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-18 2:18 ` Backwoods BC @ 2023-08-18 8:49 ` Mark Geisert 2023-08-18 8:59 ` Mark Geisert 0 siblings, 1 reply; 12+ messages in thread From: Mark Geisert @ 2023-08-18 8:49 UTC (permalink / raw) Cc: cygwin Backwoods BC via Cygwin wrote: > On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin > <cygwin@cygwin.com> wrote: >> How can I find out whether the current Cygwin terminal has >> Administrator rights? I want to safeguard our admin scripts with a >> simple test and bail out with an error if someone wants to do admin >> stuff (say: regtool) without admin privileges. >> >> Thanks, >> Martin > > I don't know if this is the official method, but it works for me: > > ##### Shell Options > # Elevated privilege windows have $SESSIONNAME set > if [ "$SESSIONNAME" == "" ] ;then > printf -v adminPmt '[\u2022Admin\u2022] ' > else > export adminPmt="" > fi I see the opposite on my machine. Admin window has empty $SESSIONNAME, non-Admin window has "Console". What I do locally is check the output of the 'id' command. If group 544(Administrators) is present, that's a window with Admin rights. Inside .bashrc I have a simple grep test on the output of 'id' to set PS1 (shell prompt) appropriately. ..mark ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-18 8:49 ` Mark Geisert @ 2023-08-18 8:59 ` Mark Geisert 0 siblings, 0 replies; 12+ messages in thread From: Mark Geisert @ 2023-08-18 8:59 UTC (permalink / raw) Cc: cygwin Mark Geisert via Cygwin wrote: > Backwoods BC via Cygwin wrote: [...] >> I don't know if this is the official method, but it works for me: >> >> ##### Shell Options >> # Elevated privilege windows have $SESSIONNAME set >> if [ "$SESSIONNAME" == "" ] ;then >> printf -v adminPmt '[\u2022Admin\u2022] ' >> else >> export adminPmt="" >> fi > > I see the opposite on my machine. Admin window has empty $SESSIONNAME, non-Admin > window has "Console". Feh, I mentally reversed the 'if' clauses. I see the same $SESSIONNAME behavior on my machine. Sorry for the noise. ..mark ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege 2023-08-18 2:18 ` Backwoods BC @ 2023-08-18 22:00 ` Doug Henderson 2023-08-19 8:14 ` ASSI 2023-08-24 13:01 ` Andrew Schulman 3 siblings, 0 replies; 12+ messages in thread From: Doug Henderson @ 2023-08-18 22:00 UTC (permalink / raw) To: cygwin On Thu, Aug 17, 2023 at 8:02 PM Martin Wege via Cygwin <cygwin@cygwin.com> wrote: > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. I use this bash function: # isadmin - is shell a regular user or admin user function isadmin() { $(cygpath -u 'C:\Windows\System32\net.exe') session > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "admin" else echo "user"; fi } I imagine any other Windows app that needs admin permissions would work. I use this to change the color of the prompt ($PS1) for the admin user to red. HTH Doug -- Doug Henderson, Calgary, Alberta, Canada - from gmail.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege 2023-08-18 2:18 ` Backwoods BC 2023-08-18 22:00 ` Doug Henderson @ 2023-08-19 8:14 ` ASSI 2023-08-19 17:33 ` Bill Stewart 2023-08-24 16:24 ` Martin Wege 2023-08-24 13:01 ` Andrew Schulman 3 siblings, 2 replies; 12+ messages in thread From: ASSI @ 2023-08-19 8:14 UTC (permalink / raw) To: cygwin Martin Wege via Cygwin writes: > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. Windows really doesn't have a defined notion of what is or is not an "administrator". Each particular definition will be insufficient or invalid in certain contexts. When you're dealing with hardened installations (via group policies or otherwise), large windows domains and/or server administration you may have to be way more specific than just looking at one simple indication. That said, most commonly the presence of SID S-1-5-32-544 in your user token (in Cygwin: gid=544, unless you override it in the group config) will be the best simple approximation. Incidentally, this is what tcsh is using on Cygwin to define the "superuser" for the purpose of setting the prompt with "%#": https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212 For (ba)sh scripts you can parse the output from id along the lines of id -G | grep -q '\<544\>' && echo admin || echo "not admin" should be most workable. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf rackAttack V1.04R1: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-19 8:14 ` ASSI @ 2023-08-19 17:33 ` Bill Stewart 2023-08-24 16:24 ` Martin Wege 1 sibling, 0 replies; 12+ messages in thread From: Bill Stewart @ 2023-08-19 17:33 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1653 bytes --] On Sat, Aug 19, 2023 at 2:15 AM ASSI wrote: Windows really doesn't have a defined notion of what is or is not an > "administrator". Each particular definition will be insufficient or > invalid in certain contexts. > There is a definition of administrator in Windows: Your account is a member, either directly or indirectly, of the Administrators group (SID 1-5-32-544). With the introduction of User Account Control (UAC) in Windows Vista, if you log on as a member of this group, processes are normally started with the Administrators group disabled (i.e, the process is not running as a member of Administrators). The "run as administrator" action starts a process with the group enabled. This is commonly referred to as "elevation." [Side note: As I understand it, one of the reasons UAC was introduced was made was to break (some?) software developers' habits of assuming their programs run as administrator, and to choose better data storage paths, registry paths, etc. See https://techcommunity.microsoft.com/t5/windows-blog-archive/faq-why-can-8217-t-i-bypass-the-uac-prompt/ba-p/701510 for a nice summary. Also helpful is the current docs on SIDs: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers ] On a domain, the Domain Admins group (which has a relative identifier, or RID, of 512) is by default a member of the Administrators group. The Administrators group is still there (same SID, S-1-5-32-544), and is called a "Domain Local Security Group" (i.e., it's a local group that's shared by all domain controllers.) Hope this helps clarify. Bill ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-19 8:14 ` ASSI 2023-08-19 17:33 ` Bill Stewart @ 2023-08-24 16:24 ` Martin Wege 2023-08-25 9:42 ` Corinna Vinschen 1 sibling, 1 reply; 12+ messages in thread From: Martin Wege @ 2023-08-24 16:24 UTC (permalink / raw) To: cygwin On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin <cygwin@cygwin.com> wrote: > > Martin Wege via Cygwin writes: > > How can I find out whether the current Cygwin terminal has > > Administrator rights? I want to safeguard our admin scripts with a > > simple test and bail out with an error if someone wants to do admin > > stuff (say: regtool) without admin privileges. > > Windows really doesn't have a defined notion of what is or is not an > "administrator". Each particular definition will be insufficient or > invalid in certain contexts. When you're dealing with hardened > installations (via group policies or otherwise), large windows domains > and/or server administration you may have to be way more specific than > just looking at one simple indication. > > That said, most commonly the presence of SID S-1-5-32-544 in your user > token (in Cygwin: gid=544, unless you override it in the group config) > will be the best simple approximation. Incidentally, this is what tcsh > is using on Cygwin to define the "superuser" for the purpose of setting > the prompt with "%#": > https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212 > > For (ba)sh scripts you can parse the output from id along the lines of > > id -G | grep -q '\<544\>' && echo admin || echo "not admin" Is there any guarantee that the UNIX GID of the "administrator" will always be "544", regardless of locale or Country-specific version of Windows? Also, this might be something for a Cygwin ADMINISTRATOR&PROGRAMMING FAQ, if there is such a thing. Thanks, Martin ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-24 16:24 ` Martin Wege @ 2023-08-25 9:42 ` Corinna Vinschen 0 siblings, 0 replies; 12+ messages in thread From: Corinna Vinschen @ 2023-08-25 9:42 UTC (permalink / raw) To: cygwin On Aug 24 18:24, Martin Wege via Cygwin wrote: > On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin <cygwin@cygwin.com> wrote: > > > > Martin Wege via Cygwin writes: > > > How can I find out whether the current Cygwin terminal has > > > Administrator rights? I want to safeguard our admin scripts with a > > > simple test and bail out with an error if someone wants to do admin > > > stuff (say: regtool) without admin privileges. > > > > Windows really doesn't have a defined notion of what is or is not an > > "administrator". Each particular definition will be insufficient or > > invalid in certain contexts. When you're dealing with hardened > > installations (via group policies or otherwise), large windows domains > > and/or server administration you may have to be way more specific than > > just looking at one simple indication. > > > > That said, most commonly the presence of SID S-1-5-32-544 in your user > > token (in Cygwin: gid=544, unless you override it in the group config) > > will be the best simple approximation. Incidentally, this is what tcsh > > is using on Cygwin to define the "superuser" for the purpose of setting > > the prompt with "%#": > > https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212 > > > > For (ba)sh scripts you can parse the output from id along the lines of > > > > id -G | grep -q '\<544\>' && echo admin || echo "not admin" > > Is there any guarantee that the UNIX GID of the "administrator" will > always be "544", regardless of locale or Country-specific version of > Windows? https://cygwin.com/pipermail/cygwin/2023-August/254218.html Corinna ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege ` (2 preceding siblings ...) 2023-08-19 8:14 ` ASSI @ 2023-08-24 13:01 ` Andrew Schulman 2023-08-24 14:52 ` Bill Stewart 3 siblings, 1 reply; 12+ messages in thread From: Andrew Schulman @ 2023-08-24 13:01 UTC (permalink / raw) To: cygwin > Hello, > > How can I find out whether the current Cygwin terminal has > Administrator rights? I want to safeguard our admin scripts with a > simple test and bail out with an error if someone wants to do admin > stuff (say: regtool) without admin privileges. https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-24 13:01 ` Andrew Schulman @ 2023-08-24 14:52 ` Bill Stewart 2023-08-24 18:46 ` Bill Stewart 0 siblings, 1 reply; 12+ messages in thread From: Bill Stewart @ 2023-08-24 14:52 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 2111 bytes --] On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote: > How can I find out whether the current Cygwin terminal has > > Administrator rights? I want to safeguard our admin scripts with a > > simple test and bail out with an error if someone wants to do admin > > stuff (say: regtool) without admin privileges. > > > https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 > This answer may be misleading. For example, when I log on using an account that's a member of Administrators, my account is a member of the group, but the Administrators group token is not enabled. For example, if I log on as a member of the Administrators group and open a PowerShell window, I can run the following, and it will output the local Administrators group (there will be no output if the account is not a member of Administrators): PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID -eq "S-1-5-32-544" } That is, while it is true that the process is a member of the Administrators group, the group isn't enabled, so the process isn't actually running with administrative permissions. In Windows-speak we would say the process isn't "elevated" ("elevated" = "running with administrative permissions"). In other words, logging on as a member of Administrators doesn't mean that processes you start are elevated. IME, what is normally being asked for is whether the current process is elevated (i.e., the group is both present and enabled). The usual Windows API way to check this is the CheckTokenMembership() function: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership In that reference: "The CheckTokenMembership function simplifies the process of determining whether a SID is both present and enabled in an access token." As an example, I wrote a little Windows program called 'elevate' that has a '-t' option to test whether the current process is elevated: https://github.com/Bill-Stewart/elevate Hope this helps clarify. Bill ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script? 2023-08-24 14:52 ` Bill Stewart @ 2023-08-24 18:46 ` Bill Stewart 0 siblings, 0 replies; 12+ messages in thread From: Bill Stewart @ 2023-08-24 18:46 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 2728 bytes --] On Thu, Aug 24, 2023 at 8:52 AM Bill Stewart wrote: On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote: > > > How can I find out whether the current Cygwin terminal has >> > Administrator rights? I want to safeguard our admin scripts with a >> > simple test and bail out with an error if someone wants to do admin >> > stuff (say: regtool) without admin privileges. >> >> >> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 >> > > This answer may be misleading. For example, when I log on using an account > that's a member of Administrators, my account is a member of the group, but > the Administrators group token is not enabled. For example, if I log on as > a member of the Administrators group and open a PowerShell window, I can > run the following, and it will output the local Administrators group (there > will be no output if the account is not a member of Administrators): > > PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID > -eq "S-1-5-32-544" } > > That is, while it is true that the process is a member of the > Administrators group, the group isn't enabled, so the process isn't > actually running with administrative permissions. In Windows-speak we would > say the process isn't "elevated" ("elevated" = "running with administrative > permissions"). In other words, logging on as a member of Administrators > doesn't mean that processes you start are elevated. > > IME, what is normally being asked for is whether the current process is > elevated (i.e., the group is both present and enabled). The usual Windows > API way to check this is the CheckTokenMembership() function: > > > https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership > > In that reference: "The CheckTokenMembership function simplifies the > process of determining whether a SID is both present and enabled in an > access token." > > As an example, I wrote a little Windows program called 'elevate' that has > a '-t' option to test whether the current process is elevated: > > https://github.com/Bill-Stewart/elevate > To elaborate on the above, the cygwin 'id -G' command looks like it takes this into account and only outputs enabled group IDs. I should have checked this before I responded, of course. In other words, 'id -G' outputs a 544 in its list if the current process is elevated ("run as administrator"). The 544 won't be in there if the process is not elevated. I just tested from an elevated PowerShell console: PS C:\Windows\System32> ((id -G) -split ' ') -contains '544' True Sorry for any confusion. Bill ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-08-25 9:42 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege 2023-08-18 2:18 ` Backwoods BC 2023-08-18 8:49 ` Mark Geisert 2023-08-18 8:59 ` Mark Geisert 2023-08-18 22:00 ` Doug Henderson 2023-08-19 8:14 ` ASSI 2023-08-19 17:33 ` Bill Stewart 2023-08-24 16:24 ` Martin Wege 2023-08-25 9:42 ` Corinna Vinschen 2023-08-24 13:01 ` Andrew Schulman 2023-08-24 14:52 ` Bill Stewart 2023-08-24 18:46 ` Bill Stewart
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).