* Test for Windows Administrator permissions from Cygwin terminal|script?
@ 2023-08-18 2:01 Martin Wege
2023-08-18 2:18 ` Backwoods BC
` (3 more replies)
0 siblings, 4 replies; 12+ messages in thread
From: Martin Wege @ 2023-08-18 2:01 UTC (permalink / raw)
To: cygwin
Hello,
How can I find out whether the current Cygwin terminal has
Administrator rights? I want to safeguard our admin scripts with a
simple test and bail out with an error if someone wants to do admin
stuff (say: regtool) without admin privileges.
Thanks,
Martin
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege
@ 2023-08-18 2:18 ` Backwoods BC
2023-08-18 8:49 ` Mark Geisert
2023-08-18 22:00 ` Doug Henderson
` (2 subsequent siblings)
3 siblings, 1 reply; 12+ messages in thread
From: Backwoods BC @ 2023-08-18 2:18 UTC (permalink / raw)
To: Martin Wege; +Cc: cygwin
On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin
<cygwin@cygwin.com> wrote:
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.
>
> Thanks,
> Martin
I don't know if this is the official method, but it works for me:
##### Shell Options
# Elevated privilege windows have $SESSIONNAME set
if [ "$SESSIONNAME" == "" ] ;then
printf -v adminPmt '[\u2022Admin\u2022] '
else
export adminPmt=""
fi
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-18 2:18 ` Backwoods BC
@ 2023-08-18 8:49 ` Mark Geisert
2023-08-18 8:59 ` Mark Geisert
0 siblings, 1 reply; 12+ messages in thread
From: Mark Geisert @ 2023-08-18 8:49 UTC (permalink / raw)
Cc: cygwin
Backwoods BC via Cygwin wrote:
> On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin
> <cygwin@cygwin.com> wrote:
>> How can I find out whether the current Cygwin terminal has
>> Administrator rights? I want to safeguard our admin scripts with a
>> simple test and bail out with an error if someone wants to do admin
>> stuff (say: regtool) without admin privileges.
>>
>> Thanks,
>> Martin
>
> I don't know if this is the official method, but it works for me:
>
> ##### Shell Options
> # Elevated privilege windows have $SESSIONNAME set
> if [ "$SESSIONNAME" == "" ] ;then
> printf -v adminPmt '[\u2022Admin\u2022] '
> else
> export adminPmt=""
> fi
I see the opposite on my machine. Admin window has empty $SESSIONNAME, non-Admin
window has "Console".
What I do locally is check the output of the 'id' command. If group
544(Administrators) is present, that's a window with Admin rights. Inside .bashrc
I have a simple grep test on the output of 'id' to set PS1 (shell prompt)
appropriately.
..mark
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-18 8:49 ` Mark Geisert
@ 2023-08-18 8:59 ` Mark Geisert
0 siblings, 0 replies; 12+ messages in thread
From: Mark Geisert @ 2023-08-18 8:59 UTC (permalink / raw)
Cc: cygwin
Mark Geisert via Cygwin wrote:
> Backwoods BC via Cygwin wrote:
[...]
>> I don't know if this is the official method, but it works for me:
>>
>> ##### Shell Options
>> # Elevated privilege windows have $SESSIONNAME set
>> if [ "$SESSIONNAME" == "" ] ;then
>> printf -v adminPmt '[\u2022Admin\u2022] '
>> else
>> export adminPmt=""
>> fi
>
> I see the opposite on my machine. Admin window has empty $SESSIONNAME, non-Admin
> window has "Console".
Feh, I mentally reversed the 'if' clauses. I see the same $SESSIONNAME behavior
on my machine. Sorry for the noise.
..mark
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege
2023-08-18 2:18 ` Backwoods BC
@ 2023-08-18 22:00 ` Doug Henderson
2023-08-19 8:14 ` ASSI
2023-08-24 13:01 ` Andrew Schulman
3 siblings, 0 replies; 12+ messages in thread
From: Doug Henderson @ 2023-08-18 22:00 UTC (permalink / raw)
To: cygwin
On Thu, Aug 17, 2023 at 8:02 PM Martin Wege via Cygwin
<cygwin@cygwin.com> wrote:
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.
I use this bash function:
# isadmin - is shell a regular user or admin user
function isadmin()
{
$(cygpath -u 'C:\Windows\System32\net.exe') session > /dev/null 2>&1
if [ $? -eq 0 ]; then echo "admin"
else echo "user"; fi
}
I imagine any other Windows app that needs admin permissions would work.
I use this to change the color of the prompt ($PS1) for the admin user to red.
HTH
Doug
--
Doug Henderson, Calgary, Alberta, Canada - from gmail.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege
2023-08-18 2:18 ` Backwoods BC
2023-08-18 22:00 ` Doug Henderson
@ 2023-08-19 8:14 ` ASSI
2023-08-19 17:33 ` Bill Stewart
2023-08-24 16:24 ` Martin Wege
2023-08-24 13:01 ` Andrew Schulman
3 siblings, 2 replies; 12+ messages in thread
From: ASSI @ 2023-08-19 8:14 UTC (permalink / raw)
To: cygwin
Martin Wege via Cygwin writes:
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.
Windows really doesn't have a defined notion of what is or is not an
"administrator". Each particular definition will be insufficient or
invalid in certain contexts. When you're dealing with hardened
installations (via group policies or otherwise), large windows domains
and/or server administration you may have to be way more specific than
just looking at one simple indication.
That said, most commonly the presence of SID S-1-5-32-544 in your user
token (in Cygwin: gid=544, unless you override it in the group config)
will be the best simple approximation. Incidentally, this is what tcsh
is using on Cygwin to define the "superuser" for the purpose of setting
the prompt with "%#":
https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212
For (ba)sh scripts you can parse the output from id along the lines of
id -G | grep -q '\<544\>' && echo admin || echo "not admin"
should be most workable.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-19 8:14 ` ASSI
@ 2023-08-19 17:33 ` Bill Stewart
2023-08-24 16:24 ` Martin Wege
1 sibling, 0 replies; 12+ messages in thread
From: Bill Stewart @ 2023-08-19 17:33 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1653 bytes --]
On Sat, Aug 19, 2023 at 2:15 AM ASSI wrote:
Windows really doesn't have a defined notion of what is or is not an
> "administrator". Each particular definition will be insufficient or
> invalid in certain contexts.
>
There is a definition of administrator in Windows: Your account is a
member, either directly or indirectly, of the Administrators group (SID
1-5-32-544).
With the introduction of User Account Control (UAC) in Windows Vista, if
you log on as a member of this group, processes are normally started with
the Administrators group disabled (i.e, the process is not running as a
member of Administrators). The "run as administrator" action starts a
process with the group enabled. This is commonly referred to as
"elevation." [Side note: As I understand it, one of the reasons UAC was
introduced was made was to break (some?) software developers' habits of
assuming their programs run as administrator, and to choose better data
storage paths, registry paths, etc. See
https://techcommunity.microsoft.com/t5/windows-blog-archive/faq-why-can-8217-t-i-bypass-the-uac-prompt/ba-p/701510
for a nice summary. Also helpful is the current docs on SIDs:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
]
On a domain, the Domain Admins group (which has a relative identifier, or
RID, of 512) is by default a member of the Administrators group. The
Administrators group is still there (same SID, S-1-5-32-544), and is called
a "Domain Local Security Group" (i.e., it's a local group that's shared by
all domain controllers.)
Hope this helps clarify.
Bill
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege
` (2 preceding siblings ...)
2023-08-19 8:14 ` ASSI
@ 2023-08-24 13:01 ` Andrew Schulman
2023-08-24 14:52 ` Bill Stewart
3 siblings, 1 reply; 12+ messages in thread
From: Andrew Schulman @ 2023-08-24 13:01 UTC (permalink / raw)
To: cygwin
> Hello,
>
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.
https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-24 13:01 ` Andrew Schulman
@ 2023-08-24 14:52 ` Bill Stewart
2023-08-24 18:46 ` Bill Stewart
0 siblings, 1 reply; 12+ messages in thread
From: Bill Stewart @ 2023-08-24 14:52 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2111 bytes --]
On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote:
> How can I find out whether the current Cygwin terminal has
> > Administrator rights? I want to safeguard our admin scripts with a
> > simple test and bail out with an error if someone wants to do admin
> > stuff (say: regtool) without admin privileges.
>
>
> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
>
This answer may be misleading. For example, when I log on using an account
that's a member of Administrators, my account is a member of the group, but
the Administrators group token is not enabled. For example, if I log on as
a member of the Administrators group and open a PowerShell window, I can
run the following, and it will output the local Administrators group (there
will be no output if the account is not a member of Administrators):
PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
-eq "S-1-5-32-544" }
That is, while it is true that the process is a member of the
Administrators group, the group isn't enabled, so the process isn't
actually running with administrative permissions. In Windows-speak we would
say the process isn't "elevated" ("elevated" = "running with administrative
permissions"). In other words, logging on as a member of Administrators
doesn't mean that processes you start are elevated.
IME, what is normally being asked for is whether the current process is
elevated (i.e., the group is both present and enabled). The usual Windows
API way to check this is the CheckTokenMembership() function:
https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
In that reference: "The CheckTokenMembership function simplifies the
process of determining whether a SID is both present and enabled in an
access token."
As an example, I wrote a little Windows program called 'elevate' that has a
'-t' option to test whether the current process is elevated:
https://github.com/Bill-Stewart/elevate
Hope this helps clarify.
Bill
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-19 8:14 ` ASSI
2023-08-19 17:33 ` Bill Stewart
@ 2023-08-24 16:24 ` Martin Wege
2023-08-25 9:42 ` Corinna Vinschen
1 sibling, 1 reply; 12+ messages in thread
From: Martin Wege @ 2023-08-24 16:24 UTC (permalink / raw)
To: cygwin
On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin <cygwin@cygwin.com> wrote:
>
> Martin Wege via Cygwin writes:
> > How can I find out whether the current Cygwin terminal has
> > Administrator rights? I want to safeguard our admin scripts with a
> > simple test and bail out with an error if someone wants to do admin
> > stuff (say: regtool) without admin privileges.
>
> Windows really doesn't have a defined notion of what is or is not an
> "administrator". Each particular definition will be insufficient or
> invalid in certain contexts. When you're dealing with hardened
> installations (via group policies or otherwise), large windows domains
> and/or server administration you may have to be way more specific than
> just looking at one simple indication.
>
> That said, most commonly the presence of SID S-1-5-32-544 in your user
> token (in Cygwin: gid=544, unless you override it in the group config)
> will be the best simple approximation. Incidentally, this is what tcsh
> is using on Cygwin to define the "superuser" for the purpose of setting
> the prompt with "%#":
> https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212
>
> For (ba)sh scripts you can parse the output from id along the lines of
>
> id -G | grep -q '\<544\>' && echo admin || echo "not admin"
Is there any guarantee that the UNIX GID of the "administrator" will
always be "544", regardless of locale or Country-specific version of
Windows?
Also, this might be something for a Cygwin ADMINISTRATOR&PROGRAMMING
FAQ, if there is such a thing.
Thanks,
Martin
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-24 14:52 ` Bill Stewart
@ 2023-08-24 18:46 ` Bill Stewart
0 siblings, 0 replies; 12+ messages in thread
From: Bill Stewart @ 2023-08-24 18:46 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2728 bytes --]
On Thu, Aug 24, 2023 at 8:52 AM Bill Stewart wrote:
On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote:
>
> > How can I find out whether the current Cygwin terminal has
>> > Administrator rights? I want to safeguard our admin scripts with a
>> > simple test and bail out with an error if someone wants to do admin
>> > stuff (say: regtool) without admin privileges.
>>
>>
>> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
>>
>
> This answer may be misleading. For example, when I log on using an account
> that's a member of Administrators, my account is a member of the group, but
> the Administrators group token is not enabled. For example, if I log on as
> a member of the Administrators group and open a PowerShell window, I can
> run the following, and it will output the local Administrators group (there
> will be no output if the account is not a member of Administrators):
>
> PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
> -eq "S-1-5-32-544" }
>
> That is, while it is true that the process is a member of the
> Administrators group, the group isn't enabled, so the process isn't
> actually running with administrative permissions. In Windows-speak we would
> say the process isn't "elevated" ("elevated" = "running with administrative
> permissions"). In other words, logging on as a member of Administrators
> doesn't mean that processes you start are elevated.
>
> IME, what is normally being asked for is whether the current process is
> elevated (i.e., the group is both present and enabled). The usual Windows
> API way to check this is the CheckTokenMembership() function:
>
>
> https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
>
> In that reference: "The CheckTokenMembership function simplifies the
> process of determining whether a SID is both present and enabled in an
> access token."
>
> As an example, I wrote a little Windows program called 'elevate' that has
> a '-t' option to test whether the current process is elevated:
>
> https://github.com/Bill-Stewart/elevate
>
To elaborate on the above, the cygwin 'id -G' command looks like it takes
this into account and only outputs enabled group IDs.
I should have checked this before I responded, of course.
In other words, 'id -G' outputs a 544 in its list if the current process is
elevated ("run as administrator"). The 544 won't be in there if the process
is not elevated. I just tested from an elevated PowerShell console:
PS C:\Windows\System32> ((id -G) -split ' ') -contains '544'
True
Sorry for any confusion.
Bill
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Test for Windows Administrator permissions from Cygwin terminal|script?
2023-08-24 16:24 ` Martin Wege
@ 2023-08-25 9:42 ` Corinna Vinschen
0 siblings, 0 replies; 12+ messages in thread
From: Corinna Vinschen @ 2023-08-25 9:42 UTC (permalink / raw)
To: cygwin
On Aug 24 18:24, Martin Wege via Cygwin wrote:
> On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin <cygwin@cygwin.com> wrote:
> >
> > Martin Wege via Cygwin writes:
> > > How can I find out whether the current Cygwin terminal has
> > > Administrator rights? I want to safeguard our admin scripts with a
> > > simple test and bail out with an error if someone wants to do admin
> > > stuff (say: regtool) without admin privileges.
> >
> > Windows really doesn't have a defined notion of what is or is not an
> > "administrator". Each particular definition will be insufficient or
> > invalid in certain contexts. When you're dealing with hardened
> > installations (via group policies or otherwise), large windows domains
> > and/or server administration you may have to be way more specific than
> > just looking at one simple indication.
> >
> > That said, most commonly the presence of SID S-1-5-32-544 in your user
> > token (in Cygwin: gid=544, unless you override it in the group config)
> > will be the best simple approximation. Incidentally, this is what tcsh
> > is using on Cygwin to define the "superuser" for the purpose of setting
> > the prompt with "%#":
> > https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212
> >
> > For (ba)sh scripts you can parse the output from id along the lines of
> >
> > id -G | grep -q '\<544\>' && echo admin || echo "not admin"
>
> Is there any guarantee that the UNIX GID of the "administrator" will
> always be "544", regardless of locale or Country-specific version of
> Windows?
https://cygwin.com/pipermail/cygwin/2023-August/254218.html
Corinna
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-08-25 9:42 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-18 2:01 Test for Windows Administrator permissions from Cygwin terminal|script? Martin Wege
2023-08-18 2:18 ` Backwoods BC
2023-08-18 8:49 ` Mark Geisert
2023-08-18 8:59 ` Mark Geisert
2023-08-18 22:00 ` Doug Henderson
2023-08-19 8:14 ` ASSI
2023-08-19 17:33 ` Bill Stewart
2023-08-24 16:24 ` Martin Wege
2023-08-25 9:42 ` Corinna Vinschen
2023-08-24 13:01 ` Andrew Schulman
2023-08-24 14:52 ` Bill Stewart
2023-08-24 18:46 ` Bill Stewart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).