delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2012/08/16/13:46:35

X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,KHOP_THREADED,RP_MATCHES_RCVD,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Kurt Franke <Kurt-Franke AT web DOT de>
Subject: Re: Question about UAC and bash/cygwin
Date: Thu, 16 Aug 2012 17:45:36 +0000 (UTC)
Lines: 230
Message-ID: <loom.20120816T193349-581@post.gmane.org>
References: <CAG9p0OTFaLUp7c8zpOtVQ=4zt-=fAqPvURJw758FS+d2rPOtgw AT mail DOT gmail DOT com> <CE9C056E12502146A72FD81290379E9A49600AF0 AT ENFIRHMBX1 DOT datcon DOT co DOT uk> <CAG9p0OQsu08mOqGC4NkAvKE_GbjvBJk675XR6TdU5+urbNsEuQ AT mail DOT gmail DOT com> <502C6B1C DOT 5030900 AT cygwin DOT com> <CAG9p0OS3HKvaE9ye6g3vKP4kXPZGBw=uc-ELb0WcvdPefGQmFg AT mail DOT gmail DOT com> <20120816090344 DOT GD5536 AT calimero DOT vinschen DOT de> <CAG9p0ORs1BLte6nm_8iAHQan1Y+mESJQpNmjf=SiuJjHuSr83g AT mail DOT gmail DOT com> <20120816113834 DOT GF17546 AT calimero DOT vinschen DOT de> <CAG9p0ORUkRjJekPeD7UcN5-uHE+sFHWqAv0P60k+_o3tw_caSA AT mail DOT gmail DOT com> <20120816143205 DOT GI17546 AT calimero DOT vinschen DOT de> <CAG9p0ORP=_QxKFJJ_oSVWeodWA_tLgFcSBsA+ERNqQBk1OPaiA AT mail DOT gmail DOT com>
Mime-Version: 1.0
User-Agent: Loom/3.14 (http://gmane.org/)
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Lord Laraby <lord.laraby <at> gmail.com> writes:

> 
> On Thu, Aug 16, 2012Corinna Vinschen
> > On Aug 16 08:48, Lord Laraby wrote:
> >> On Thu, Aug 16, 2012 Corinna Vinschen wrote:
> >> > On Aug 16 07:06, Lord Laraby wrote:
> >>
> >> See, here where I said I want to know if the user is in fact
> >> "elevated"?  I'm always a member of the Administrators Group (group
> >> 544) even when I have no such privileges to "administer" the system.
> >>
> >> > What is it good for to have uid 0?  You want to know if you have admin
> >> > rights, so why don't you simply check for the admin group in the
> >> > supplementary group list?
> >>
> >> The uid 0 feature is just a unixy way of indicating that my account
> >> has already passed and accepted the UAC and I'm now running as a
> >> normal admin (not a puny user).
> >>
> > Huh?  When you're not running elevated, the admin group will not be in
> > the list of supplementary groups.  What other information do you need?
> > What's the problem?
> >
> >
> > Corinna
> 
> Apparently, we're seeing completely different things then. Here's two
> examples I ran one normally and one elevated.
> 
> non-elevated:
> master <at> Master-PC ~
> $ cd /etc/at-spi2/
> 
> master <at> Master-PC /etc/at-spi2
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> Note ------------^^^^^^^^^^^
> 
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
> 
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf accessibility.conf.tmp
> mv: cannot move `accessibility.conf' to `accessibility.conf.tmp':
> Permission denied
> 
> ^^^ Not able to bypass ACL (but note being in group 0 (544)
> 
> *** Now try in elevated mode
> Elevated:
> master <at> Master-PC ~
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> 
> master <at> Master-PC ~
> $ cd /etc/at-spi2/
> 
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
> 
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf accessibility.conf.sav
> 
> ^^^ No error and successfully used admin provileges...
> 
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf.sav accessibility.conf
> 
> ^^^ Again
> 
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
> 
> master <at> Master-PC /etc/at-spi2
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> Note ------------^^^^^^^^^^^
> master <at> Master-PC /etc/at-spi2
> ------------
> 
> See, root (545) is on my groups all the time - elevated or not. Unless
> this is an error of some magnitude that it was inadvertently changed,
> I cannot say.
> 
> Needless to say, as you can see from the sample out above, I can only
> do certain things elevated (admin-type tasks) regardless of having
> root in my groups.
> 
> Any suggestions on why I get different results?
> 
> LL
> 

Hi,

I got a hint how to do this on this list some years ago by Brian Dessent.
The function CheckTokenMembership() must be called for this liek done in 
the following program:

================= +++ CheckTokenMembership-Admin.c =================

#include <stdio.h>
#define _WIN32_WINNT 0x0500
#include <windows.h>

int main (int argc, char **argv)
{
  SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
  PSID AdministratorsGroup;
  BOOL isAdmin;

  if (AllocateAndInitializeSid (&NtAuthority, 2,
          SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
          0, 0, 0, 0, 0, 0, &AdministratorsGroup) == 0 ||
      CheckTokenMembership (NULL, AdministratorsGroup, &isAdmin) == 0)
    {
      printf ("failed with win32 error %lu\n", GetLastError ());
      exit (2);
    }

  FreeSid (AdministratorsGroup);
  exit (!isAdmin);
}

================= --- CheckTokenMembership-Admin.c =================

Its exit value indicates if admin token is active or not - speaking 
elevated or not:

0 : elevated
1 : not elevated



I use a script around it for calling to allow handling for windows 
versions which doesn't support the CheckTokenMembership() function.
If version is less than NT-6.0 or if the program is not found in path
it uses the traditional methode of checking for Administrators group
membership and returns with an exit value of to for "possible elevated"
if membership exists and the windows version is NT-6.0 or greater


================= +++ isAdmin =================
#! /bin/bash

# check if running with admin privileges
# to make the check language independent use group id's not names
# get the adminstrators group id's from /etc/group checking for lines
# holding wellknown sid ':S-1-5-32-544:' ind second field

is_NT=`uname | grep CYGWIN_NT | wc -l`

if [ $is_NT -gt 0 ]
then
  NT_version=`uname | cut -d- -f2`
else
  NT_version="-1.0"
fi

NT_main_version=`echo $NT_version | cut -d. -f1`

if [ $is_NT -gt 0 -a $NT_main_version -ge 5 ]
then
  # executable calling CheckTokenMembership for the Admin group
  # which will also get correct result for non-elevated
  # Admin sessions when running under vista 
  # first check if there
  type CheckTokenMembership-Admin >/dev/null 2>&1
  found_CheckTokenMembership_Admin=$?
  if [ $found_CheckTokenMembership_Admin -eq 0 ]
  then
    CheckTokenMembership-Admin
    exit $?
  fi
  # if CheckTokenMembership-Admin is not found then just
  # use the standard test as for other Windows Versions
fi

hasAdminGroup=0
group_ids=`id -G`
for i in `grep ':S-1-5-32-544:' /etc/group | cut -d: -f3`
do
  for k in $group_ids
  do
    [ $k = $i ] && hasAdminGroup=$((hasAdminGroup+1))
  done
done

if [ $hasAdminGroup -gt 0 ]
then
  if [ $is_NT -gt 0 -a $NT_main_version -ge 6 ]
  then
    # cannot really determine if running with admin privileges
    # in windows vista when only checking the group membership
    # exit with another value to indicate this
    exit 2
  else
    exit 0
  fi
else
  exit 1
fi


================= --- isAdmin =================



regards

kf











--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019