From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.com (mout.gmx.com [74.208.4.200]) by sourceware.org (Postfix) with ESMTPS id 4B0D83858C53 for ; Thu, 24 Aug 2023 14:53:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4B0D83858C53 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=iname.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=iname.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iname.com; s=s1089575; t=1692888787; x=1693493587; i=bstewart@iname.com; bh=MmB4UKSXn/7n2UdRixLC/tL3FoNxExHB00svUHxNZL0=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=j2lpLMBFqRYRsENCNu7tDZnK6btFu2WUSepZuua/huXExqKWUv1SWYBwmK/X176a0h5zDRp XdShC7cUP4HM2zdJ+j4Y61Ea5my4DQIO7WZO/vgQXKzjJ6BtBocxazG0LDxiGbPMxyWOiVYqX r1fMwVHP0VWnxgi5SOKQYV2aQvAZrzrWP7galvJ5gGJNjt23tJ7AIvHVyG5o73IKy0FKZtbBk ZoN3gSTTXMVHPQ5pwFb0EDbOs7U1MDjO/qW5OHZycifSK+5zIu5OiI2E/p6ijVCQYOsXzb68t vtDojrYhvbWzJn/kG/JQN8ruc3CiRgNFq6KlicomatHuuZHE61VQ== X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a Received: from mail-lj1-f170.google.com ([209.85.208.170]) by smtp.mail.com (mrgmxus005 [74.208.5.15]) with ESMTPSA (Nemesis) id 0LZxjn-1ps6fO0yFR-00lkjG for ; Thu, 24 Aug 2023 16:53:07 +0200 Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-2bb9a063f26so108320121fa.2 for ; Thu, 24 Aug 2023 07:53:07 -0700 (PDT) X-Gm-Message-State: AOJu0YwTPhPeR7LTDd6Cn7mJf66/JCZe79/ndDY9P/TMEK+bzvZVO7Hr tXwg4LZ2+pmpqipHanSGxQJ17D2gU04BHYwj0cw= X-Google-Smtp-Source: AGHT+IGyE7CDXNT1qZEFk2H1QJaUzB2U81GoTSGL8t7Harlz9nCW/DuSvVq/8aiNxmB2Y57bYLhcOxIO8aJhnbHRlKI= X-Received: by 2002:a2e:8e97:0:b0:2b6:a08d:e142 with SMTP id z23-20020a2e8e97000000b002b6a08de142mr11887748ljk.7.1692888785713; Thu, 24 Aug 2023 07:53:05 -0700 (PDT) MIME-Version: 1.0 References: <74leei1djvvgnbtvrkpctgnp9jc2kqtsjf@4ax.com> In-Reply-To: <74leei1djvvgnbtvrkpctgnp9jc2kqtsjf@4ax.com> From: Bill Stewart Date: Thu, 24 Aug 2023 08:52:39 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Test for Windows Administrator permissions from Cygwin terminal|script? To: cygwin@cygwin.com Content-Type: multipart/alternative; boundary="000000000000b780900603ac6216" X-Provags-ID: V03:K1:T7kVuS6kahfksFKhspuBP6AU4kZiLGY7UP7fxRXzroSZd0ERr37 bfMZDUcd98IHQ8+XH4RA6gE7U9bEljz/sIBUahOcA/dpqEjhB83lEISMIYMzFC/D2n1b2BL tPStxfae4RSXr55TooWK6KlZoEU2HTE4qVKQf3FXSpKvUJFcZq+UEwvbrH0NLTwxp7qNHQK oJWue40Wfh8KbUOLJgrPg== UI-OutboundReport: notjunk:1;M01:P0:cKnYTLK8k+c=;++s4DiTFN3wnpy2emTBp82ZNzOi Vp2hRcSRI5askMlZ6UHbVq4G4+w9wJd+fT0PBRHk3/mdSgYYzCHol67M5RlrnTF8LUEGdI7t6 v64Sde15aZMRALY117VqrRM+8gYsRuNePHyrG5orH1kV6k4trTqtGBJPej0G9cUOxEeL3nV2B +QYw+YjHSmBU13Qtt028IHAtl2qeU9GuO25KWNHPzyag/+znCLyNAovtnahVeRXoxubKawLgq U5zoB6Hw3tEgLidL7N2RI08THlSbTyqtUykBK0Nj/koo5MjzfOK7Fm2zNz9Zix+m+rgMi70RX AxIcpMwN8PoFiCsZxEgvDyL9HK570O/cKwYG1EZu1LjenqsAUQrNzP5p/B2BanH+rGuOJcNef Jf8BXZcOFG+ZaoFDfVb3hqlAP6xuRPVeh9d94QS8SB97XZa06251vsNIpIinTiip+b7dB4iht L2DfZMb7xTGXZLj5Paj+DYpWaOGMsA03DFFpgObIw+bv5UtaGsht57vgXT98ferSNE5+PFA5R xQw9u0BKeFNkIFERRvwl+EHffV9VVwrCYB1OzEKfK1Eu3jzoDxw4ZO3qjAnuOeiTVmabba2OF zUOvv/Ap12y6aq8ALAs935oEihE99NRRTrgF8nF6eaEWkw3og7CfUT55nfiVGaIbiHMxbfA8j YS4JADBZX991p7T+EqAkTAQ+rz0oS2hMLAlp6gqbLgybFsLpHNJJXcZ1JcW+kPskgNCX5kb79 ioK50/ihph5AHgMR/TigpBQQT+E8R/dh24w6lMOpEr2XvOdYdtMBClaMWj/cgRNexLxMU+u+L EpBdpljc0E5ytIOmtTR29igm3j0Hecv0/f7up/aAXTTNgYX3q89N62FJuSQqrILNJmJio2hfK +iTXq6tMF1x13mRpTv0Q+RW8Dj5Ad9+HmZnN6a26bEh/z9VUrgqoT8TGuSAnZjOsKC0Kt+H9S nSWR2+j8zgv3MFOQrL+DuFApXpQ= X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --000000000000b780900603ac6216 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Aug 24, 2023 at 7:01=E2=80=AFAM Andrew Schulman wrote: > How can I find out whether the current Cygwin terminal has > > Administrator rights? I want to safeguard our admin scripts with a > > simple test and bail out with an error if someone wants to do admin > > stuff (say: regtool) without admin privileges. > > > https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash= -is-run-as-administrator/874615#874615 > This answer may be misleading. For example, when I log on using an account that's a member of Administrators, my account is a member of the group, but the Administrators group token is not enabled. For example, if I log on as a member of the Administrators group and open a PowerShell window, I can run the following, and it will output the local Administrators group (there will be no output if the account is not a member of Administrators): PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID -eq "S-1-5-32-544" } That is, while it is true that the process is a member of the Administrators group, the group isn't enabled, so the process isn't actually running with administrative permissions. In Windows-speak we would say the process isn't "elevated" ("elevated" =3D "running with administrati= ve permissions"). In other words, logging on as a member of Administrators doesn't mean that processes you start are elevated. IME, what is normally being asked for is whether the current process is elevated (i.e., the group is both present and enabled). The usual Windows API way to check this is the CheckTokenMembership() function: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-secu= ritybaseapi-checktokenmembership In that reference: "The CheckTokenMembership function simplifies the process of determining whether a SID is both present and enabled in an access token." As an example, I wrote a little Windows program called 'elevate' that has a '-t' option to test whether the current process is elevated: https://github.com/Bill-Stewart/elevate Hope this helps clarify. Bill --000000000000b780900603ac6216--