Test for Windows Administrator permissions from Cygwin terminal|script?

Test for Windows Administrator permissions from Cygwin terminal|script?

[Martin Wege]

Hello,

How can I find out whether the current Cygwin terminal has
Administrator rights? I want to safeguard our admin scripts with a
simple test and bail out with an error if someone wants to do admin
stuff (say: regtool) without admin privileges.

Thanks,
Martin

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Backwoods BC]

On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin
<cygwin@cygwin.com> wrote:
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.
>
> Thanks,
> Martin

I don't know if this is the official method, but it works for me:

##### Shell Options
# Elevated privilege windows have $SESSIONNAME set
if [ "$SESSIONNAME" == "" ] ;then
  printf -v adminPmt '[\u2022Admin\u2022] '
else
  export adminPmt=""
fi

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Mark Geisert]

Backwoods BC via Cygwin wrote:
> On Thu, Aug 17, 2023 at 7:01 PM Martin Wege via Cygwin
> <cygwin@cygwin.com> wrote:
>> How can I find out whether the current Cygwin terminal has
>> Administrator rights? I want to safeguard our admin scripts with a
>> simple test and bail out with an error if someone wants to do admin
>> stuff (say: regtool) without admin privileges.
>>
>> Thanks,
>> Martin
> 
> I don't know if this is the official method, but it works for me:
> 
> ##### Shell Options
> # Elevated privilege windows have $SESSIONNAME set
> if [ "$SESSIONNAME" == "" ] ;then
>    printf -v adminPmt '[\u2022Admin\u2022] '
> else
>    export adminPmt=""
> fi

I see the opposite on my machine.  Admin window has empty $SESSIONNAME, non-Admin 
window has "Console".

What I do locally is check the output of the 'id' command.  If group 
544(Administrators) is present, that's a window with Admin rights.  Inside .bashrc 
I have a simple grep test on the output of 'id' to set PS1 (shell prompt) 
appropriately.

..mark

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Mark Geisert]

Mark Geisert via Cygwin wrote:
> Backwoods BC via Cygwin wrote:
[...]
>> I don't know if this is the official method, but it works for me:
>>
>> ##### Shell Options
>> # Elevated privilege windows have $SESSIONNAME set
>> if [ "$SESSIONNAME" == "" ] ;then
>>    printf -v adminPmt '[\u2022Admin\u2022] '
>> else
>>    export adminPmt=""
>> fi
> 
> I see the opposite on my machine.  Admin window has empty $SESSIONNAME, non-Admin 
> window has "Console".

Feh, I mentally reversed the 'if' clauses.  I see the same $SESSIONNAME behavior 
on my machine.  Sorry for the noise.

..mark

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Doug Henderson]

On Thu, Aug 17, 2023 at 8:02 PM Martin Wege via Cygwin
<cygwin@cygwin.com> wrote:
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.

I use this bash function:

# isadmin - is shell a regular user or admin user
function isadmin()
{
    $(cygpath -u 'C:\Windows\System32\net.exe') session > /dev/null 2>&1
    if [ $? -eq 0 ]; then echo "admin"
    else echo "user"; fi
}

I imagine any other Windows app that needs admin permissions would work.

I use this to change the color of the prompt ($PS1) for the admin user to red.

HTH
Doug

-- 
Doug Henderson, Calgary, Alberta, Canada - from gmail.com

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[ASSI]

Martin Wege via Cygwin writes:
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.

Windows really doesn't have a defined notion of what is or is not an
"administrator".  Each particular definition will be insufficient or
invalid in certain contexts.  When you're dealing with hardened
installations (via group policies or otherwise), large windows domains
and/or server administration you may have to be way more specific than
just looking at one simple indication.

That said, most commonly the presence of SID S-1-5-32-544 in your user
token (in Cygwin: gid=544, unless you override it in the group config)
will be the best simple approximation.  Incidentally, this is what tcsh
is using on Cygwin to define the "superuser" for the purpose of setting
the prompt with "%#":
https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212

For (ba)sh scripts you can parse the output from id along the lines of

id -G | grep -q '\<544\>' && echo admin || echo "not admin"

should be most workable.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Bill Stewart]

[-- Attachment #1: Type: text/plain, Size: 1653 bytes --]

On Sat, Aug 19, 2023 at 2:15 AM ASSI wrote:

Windows really doesn't have a defined notion of what is or is not an
> "administrator".  Each particular definition will be insufficient or
> invalid in certain contexts.
>

There is a definition of administrator in Windows: Your account is a
member, either directly or indirectly, of the Administrators group (SID
1-5-32-544).

With the introduction of User Account Control (UAC) in Windows Vista, if
you log on as a member of this group, processes are normally started with
the Administrators group disabled (i.e, the process is not running as a
member of Administrators). The "run as administrator" action starts a
process with the group enabled. This is commonly referred to as
"elevation." [Side note: As I understand it, one of the reasons UAC was
introduced was made was to break (some?) software developers' habits of
assuming their programs run as administrator, and to choose better data
storage paths, registry paths, etc. See
https://techcommunity.microsoft.com/t5/windows-blog-archive/faq-why-can-8217-t-i-bypass-the-uac-prompt/ba-p/701510
for a nice summary. Also helpful is the current docs on SIDs:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
]

On a domain, the Domain Admins group (which has a relative identifier, or
RID, of 512) is by default a member of the Administrators group. The
Administrators group is still there (same SID, S-1-5-32-544), and is called
a "Domain Local Security Group" (i.e., it's a local group that's shared by
all domain controllers.)

Hope this helps clarify.

Bill

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Andrew Schulman]

> Hello,
> 
> How can I find out whether the current Cygwin terminal has
> Administrator rights? I want to safeguard our admin scripts with a
> simple test and bail out with an error if someone wants to do admin
> stuff (say: regtool) without admin privileges.

https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Bill Stewart]

[-- Attachment #1: Type: text/plain, Size: 2111 bytes --]

On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote:

> How can I find out whether the current Cygwin terminal has
> > Administrator rights? I want to safeguard our admin scripts with a
> > simple test and bail out with an error if someone wants to do admin
> > stuff (say: regtool) without admin privileges.
>
>
> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
>

This answer may be misleading. For example, when I log on using an account
that's a member of Administrators, my account is a member of the group, but
the Administrators group token is not enabled. For example, if I log on as
a member of the Administrators group and open a PowerShell window, I can
run the following, and it will output the local Administrators group (there
will be no output if the account is not a member of Administrators):

PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
-eq "S-1-5-32-544" }

That is, while it is true that the process is a member of the
Administrators group, the group isn't enabled, so the process isn't
actually running with administrative permissions. In Windows-speak we would
say the process isn't "elevated" ("elevated" = "running with administrative
permissions"). In other words, logging on as a member of Administrators
doesn't mean that processes you start are elevated.

IME, what is normally being asked for is whether the current process is
elevated (i.e., the group is both present and enabled). The usual Windows
API way to check this is the CheckTokenMembership() function:

https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership

In that reference: "The CheckTokenMembership function simplifies the
process of determining whether a SID is both present and enabled in an
access token."

As an example, I wrote a little Windows program called 'elevate' that has a
'-t' option to test whether the current process is elevated:

https://github.com/Bill-Stewart/elevate

Hope this helps clarify.

Bill

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Martin Wege]

On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin <cygwin@cygwin.com> wrote:
>
> Martin Wege via Cygwin writes:
> > How can I find out whether the current Cygwin terminal has
> > Administrator rights? I want to safeguard our admin scripts with a
> > simple test and bail out with an error if someone wants to do admin
> > stuff (say: regtool) without admin privileges.
>
> Windows really doesn't have a defined notion of what is or is not an
> "administrator".  Each particular definition will be insufficient or
> invalid in certain contexts.  When you're dealing with hardened
> installations (via group policies or otherwise), large windows domains
> and/or server administration you may have to be way more specific than
> just looking at one simple indication.
>
> That said, most commonly the presence of SID S-1-5-32-544 in your user
> token (in Cygwin: gid=544, unless you override it in the group config)
> will be the best simple approximation.  Incidentally, this is what tcsh
> is using on Cygwin to define the "superuser" for the purpose of setting
> the prompt with "%#":
> https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212
>
> For (ba)sh scripts you can parse the output from id along the lines of
>
> id -G | grep -q '\<544\>' && echo admin || echo "not admin"

Is there any guarantee that the UNIX GID of the "administrator" will
always be "544", regardless of locale or Country-specific version of
Windows?

Also, this might be something for a Cygwin ADMINISTRATOR&PROGRAMMING
FAQ, if there is such a thing.

Thanks,
Martin

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Bill Stewart]

[-- Attachment #1: Type: text/plain, Size: 2728 bytes --]

On Thu, Aug 24, 2023 at 8:52 AM Bill Stewart wrote:

On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote:
>
> > How can I find out whether the current Cygwin terminal has
>> > Administrator rights? I want to safeguard our admin scripts with a
>> > simple test and bail out with an error if someone wants to do admin
>> > stuff (say: regtool) without admin privileges.
>>
>>
>> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
>>
>
> This answer may be misleading. For example, when I log on using an account
> that's a member of Administrators, my account is a member of the group, but
> the Administrators group token is not enabled. For example, if I log on as
> a member of the Administrators group and open a PowerShell window, I can
> run the following, and it will output the local Administrators group (there
> will be no output if the account is not a member of Administrators):
>
> PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
> -eq "S-1-5-32-544" }
>
> That is, while it is true that the process is a member of the
> Administrators group, the group isn't enabled, so the process isn't
> actually running with administrative permissions. In Windows-speak we would
> say the process isn't "elevated" ("elevated" = "running with administrative
> permissions"). In other words, logging on as a member of Administrators
> doesn't mean that processes you start are elevated.
>
> IME, what is normally being asked for is whether the current process is
> elevated (i.e., the group is both present and enabled). The usual Windows
> API way to check this is the CheckTokenMembership() function:
>
>
> https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
>
> In that reference: "The CheckTokenMembership function simplifies the
> process of determining whether a SID is both present and enabled in an
> access token."
>
> As an example, I wrote a little Windows program called 'elevate' that has
> a '-t' option to test whether the current process is elevated:
>
> https://github.com/Bill-Stewart/elevate
>

To elaborate on the above, the cygwin 'id -G' command looks like it takes
this into account and only outputs enabled group IDs.

I should have checked this before I responded, of course.

In other words, 'id -G' outputs a 544 in its list if the current process is
elevated ("run as administrator"). The 544 won't be in there if the process
is not elevated. I just tested from an elevated PowerShell console:

PS C:\Windows\System32> ((id -G) -split ' ') -contains '544'
True

Sorry for any confusion.

Bill

Re: Test for Windows Administrator permissions from Cygwin terminal|script?

[Corinna Vinschen]

On Aug 24 18:24, Martin Wege via Cygwin wrote:
> On Sat, Aug 19, 2023 at 10:15 AM ASSI via Cygwin <cygwin@cygwin.com> wrote:
> >
> > Martin Wege via Cygwin writes:
> > > How can I find out whether the current Cygwin terminal has
> > > Administrator rights? I want to safeguard our admin scripts with a
> > > simple test and bail out with an error if someone wants to do admin
> > > stuff (say: regtool) without admin privileges.
> >
> > Windows really doesn't have a defined notion of what is or is not an
> > "administrator".  Each particular definition will be insufficient or
> > invalid in certain contexts.  When you're dealing with hardened
> > installations (via group policies or otherwise), large windows domains
> > and/or server administration you may have to be way more specific than
> > just looking at one simple indication.
> >
> > That said, most commonly the presence of SID S-1-5-32-544 in your user
> > token (in Cygwin: gid=544, unless you override it in the group config)
> > will be the best simple approximation.  Incidentally, this is what tcsh
> > is using on Cygwin to define the "superuser" for the purpose of setting
> > the prompt with "%#":
> > https://github.com/tcsh-org/tcsh/blob/d075ab5b4155ebff9d30e765733c030c3da5e362/tc.prompt.c#L212
> >
> > For (ba)sh scripts you can parse the output from id along the lines of
> >
> > id -G | grep -q '\<544\>' && echo admin || echo "not admin"
> 
> Is there any guarantee that the UNIX GID of the "administrator" will
> always be "544", regardless of locale or Country-specific version of
> Windows?

https://cygwin.com/pipermail/cygwin/2023-August/254218.html


Corinna