From: Bill Stewart <bstewart@iname.com>
To: cygwin@cygwin.com
Subject: Re: Test for Windows Administrator permissions from Cygwin terminal|script?
Date: Thu, 24 Aug 2023 08:52:39 -0600 [thread overview]
Message-ID: <CANV9t=RTASguS8Bog8Ha8kWTebeU6ub5AsjnUv_3LQ=cXXH96Q@mail.gmail.com> (raw)
In-Reply-To: <74leei1djvvgnbtvrkpctgnp9jc2kqtsjf@4ax.com>
[-- Attachment #1: Type: text/plain, Size: 2111 bytes --]
On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote:
> How can I find out whether the current Cygwin terminal has
> > Administrator rights? I want to safeguard our admin scripts with a
> > simple test and bail out with an error if someone wants to do admin
> > stuff (say: regtool) without admin privileges.
>
>
> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
>
This answer may be misleading. For example, when I log on using an account
that's a member of Administrators, my account is a member of the group, but
the Administrators group token is not enabled. For example, if I log on as
a member of the Administrators group and open a PowerShell window, I can
run the following, and it will output the local Administrators group (there
will be no output if the account is not a member of Administrators):
PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
-eq "S-1-5-32-544" }
That is, while it is true that the process is a member of the
Administrators group, the group isn't enabled, so the process isn't
actually running with administrative permissions. In Windows-speak we would
say the process isn't "elevated" ("elevated" = "running with administrative
permissions"). In other words, logging on as a member of Administrators
doesn't mean that processes you start are elevated.
IME, what is normally being asked for is whether the current process is
elevated (i.e., the group is both present and enabled). The usual Windows
API way to check this is the CheckTokenMembership() function:
https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
In that reference: "The CheckTokenMembership function simplifies the
process of determining whether a SID is both present and enabled in an
access token."
As an example, I wrote a little Windows program called 'elevate' that has a
'-t' option to test whether the current process is elevated:
https://github.com/Bill-Stewart/elevate
Hope this helps clarify.
Bill
next prev parent reply other threads:[~2023-08-24 14:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 2:01 Martin Wege
2023-08-18 2:18 ` Backwoods BC
2023-08-18 8:49 ` Mark Geisert
2023-08-18 8:59 ` Mark Geisert
2023-08-18 22:00 ` Doug Henderson
2023-08-19 8:14 ` ASSI
2023-08-19 17:33 ` Bill Stewart
2023-08-24 16:24 ` Martin Wege
2023-08-25 9:42 ` Corinna Vinschen
2023-08-24 13:01 ` Andrew Schulman
2023-08-24 14:52 ` Bill Stewart [this message]
2023-08-24 18:46 ` Bill Stewart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANV9t=RTASguS8Bog8Ha8kWTebeU6ub5AsjnUv_3LQ=cXXH96Q@mail.gmail.com' \
--to=bstewart@iname.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).