Mail Archives: cygwin/2023/08/24/10:53:28

Bill Stewart via Cygwin <cygwin AT cygwin DOT com> · Thu, 24 Aug 2023 08:52:39 -0600

On Thu, Aug 24, 2023 at 7:01ā€ÆAM Andrew Schulman wrote:

> How can I find out whether the current Cygwin terminal has
> > Administrator rights? I want to safeguard our admin scripts with a
> > simple test and bail out with an error if someone wants to do admin
> > stuff (say: regtool) without admin privileges.
>
>
> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
>

This answer may be misleading. For example, when I log on using an account
that's a member of Administrators, my account is a member of the group, but
the Administrators group token is not enabled. For example, if I log on as
a member of the Administrators group and open a PowerShell window, I can
run the following, and it will output the local Administrators group (there
will be no output if the account is not a member of Administrators):

PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
-eq "S-1-5-32-544" }

That is, while it is true that the process is a member of the
Administrators group, the group isn't enabled, so the process isn't
actually running with administrative permissions. In Windows-speak we would
say the process isn't "elevated" ("elevated" = "running with administrative
permissions"). In other words, logging on as a member of Administrators
doesn't mean that processes you start are elevated.

IME, what is normally being asked for is whether the current process is
elevated (i.e., the group is both present and enabled). The usual Windows
API way to check this is the CheckTokenMembership() function:

https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership

In that reference: "The CheckTokenMembership function simplifies the
process of determining whether a SID is both present and enabled in an
access token."

As an example, I wrote a little Windows program called 'elevate' that has a
'-t' option to test whether the current process is elevated:

https://github.com/Bill-Stewart/elevate

Hope this helps clarify.

Bill

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 676DA385841C
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1692888807;
	bh=Ka2uDGjv7aB88xnhGdJUxPjsFgak1SQFEHHmRrDY2sk=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=oHE8Y0niQxzhqWM1ZgfqnYjgAlY+S0+ergX9fa6Y8XngXDoCyuLuaduMozrix6y+3
	bLI+lkRqyPgFOgKYh7xIzZ1GJZ2yW3hOhRegj3+LYxY7XeNvoakA2+swCeDClzjPfS
	6bzmJtgzx/ePOADkodXwManVLJ9XqHp8PAYRQBMw=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 4B0D83858C53
X-UI-Sender-Class:	f2cb72be-343f-493d-8ec3-b1efb8d6185a
X-Gm-Message-State:	AOJu0YwTPhPeR7LTDd6Cn7mJf66/JCZe79/ndDY9P/TMEK+bzvZVO7Hr
	tXwg4LZ2+pmpqipHanSGxQJ17D2gU04BHYwj0cw=
X-Google-Smtp-Source:	AGHT+IGyE7CDXNT1qZEFk2H1QJaUzB2U81GoTSGL8t7Harlz9nCW/DuSvVq/8aiNxmB2Y57bYLhcOxIO8aJhnbHRlKI=
X-Received:	by 2002:a2e:8e97:0:b0:2b6:a08d:e142 with SMTP id
	z23-20020a2e8e97000000b002b6a08de142mr11887748ljk.7.1692888785713; Thu, 24
	Aug 2023 07:53:05 -0700 (PDT)
MIME-Version:	1.0
References:	<CANH4o6OpsvT99AeJ2uTcqyajWQHmffYJqV=RR4HBxoFaveR7sQ AT mail DOT gmail DOT com>
	<74leei1djvvgnbtvrkpctgnp9jc2kqtsjf AT 4ax DOT com>
In-Reply-To:	<74leei1djvvgnbtvrkpctgnp9jc2kqtsjf@4ax.com>
Date:	Thu, 24 Aug 2023 08:52:39 -0600
X-Gmail-Original-Message-ID:	<CANV9t=RTASguS8Bog8Ha8kWTebeU6ub5AsjnUv_3LQ=cXXH96Q AT mail DOT gmail DOT com>
Message-ID:	<CANV9t=RTASguS8Bog8Ha8kWTebeU6ub5AsjnUv_3LQ=cXXH96Q@mail.gmail.com>
Subject:	Re: Test for Windows Administrator permissions from Cygwin
	terminal\|script?
To:	cygwin AT cygwin DOT com
X-Provags-ID:	V03:K1:T7kVuS6kahfksFKhspuBP6AU4kZiLGY7UP7fxRXzroSZd0ERr37
	bfMZDUcd98IHQ8+XH4RA6gE7U9bEljz/sIBUahOcA/dpqEjhB83lEISMIYMzFC/D2n1b2BL
	tPStxfae4RSXr55TooWK6KlZoEU2HTE4qVKQf3FXSpKvUJFcZq+UEwvbrH0NLTwxp7qNHQK
	oJWue40Wfh8KbUOLJgrPg==
UI-OutboundReport:	notjunk:1;M01:P0:cKnYTLK8k+c=;++s4DiTFN3wnpy2emTBp82ZNzOi
	Vp2hRcSRI5askMlZ6UHbVq4G4+w9wJd+fT0PBRHk3/mdSgYYzCHol67M5RlrnTF8LUEGdI7t6
	v64Sde15aZMRALY117VqrRM+8gYsRuNePHyrG5orH1kV6k4trTqtGBJPej0G9cUOxEeL3nV2B
	+QYw+YjHSmBU13Qtt028IHAtl2qeU9GuO25KWNHPzyag/+znCLyNAovtnahVeRXoxubKawLgq
	U5zoB6Hw3tEgLidL7N2RI08THlSbTyqtUykBK0Nj/koo5MjzfOK7Fm2zNz9Zix+m+rgMi70RX
	AxIcpMwN8PoFiCsZxEgvDyL9HK570O/cKwYG1EZu1LjenqsAUQrNzP5p/B2BanH+rGuOJcNef
	Jf8BXZcOFG+ZaoFDfVb3hqlAP6xuRPVeh9d94QS8SB97XZa06251vsNIpIinTiip+b7dB4iht
	L2DfZMb7xTGXZLj5Paj+DYpWaOGMsA03DFFpgObIw+bv5UtaGsht57vgXT98ferSNE5+PFA5R
	xQw9u0BKeFNkIFERRvwl+EHffV9VVwrCYB1OzEKfK1Eu3jzoDxw4ZO3qjAnuOeiTVmabba2OF
	zUOvv/Ap12y6aq8ALAs935oEihE99NRRTrgF8nF6eaEWkw3og7CfUT55nfiVGaIbiHMxbfA8j
	YS4JADBZX991p7T+EqAkTAQ+rz0oS2hMLAlp6gqbLgybFsLpHNJJXcZ1JcW+kPskgNCX5kb79
	ioK50/ihph5AHgMR/TigpBQQT+E8R/dh24w6lMOpEr2XvOdYdtMBClaMWj/cgRNexLxMU+u+L
	EpBdpljc0E5ytIOmtTR29igm3j0Hecv0/f7up/aAXTTNgYX3q89N62FJuSQqrILNJmJio2hfK
	+iTXq6tMF1x13mRpTv0Q+RW8Dj5Ad9+HmZnN6a26bEh/z9VUrgqoT8TGuSAnZjOsKC0Kt+H9S
	nSWR2+j8zgv3MFOQrL+DuFApXpQ=
X-Spam-Status:	No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
	SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-Content-Filtered-By:	Mailman/MimeDel 2.1.29
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Bill Stewart via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Bill Stewart <bstewart AT iname DOT com>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 37OErSN1006820

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019