delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2023/09/22/08:39:52

X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A85D3857C66
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1695386391;
bh=3tW0WWvWI22VBif0Lhwuzw/Fc4CNBtF3iwTgaE5naZ4=;
h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=EIarpKa5722xWy/uZ1n9a380aEPvA0UIGt8HJglrwg9fxn96o+AYbHbWImOeVoP4/
RkTXk+QdMDrGCrtBNUMtQFG5Aj2IcmTCzt0/gp4c8Dp2OKfO1XZJYkHTo9PosBAPCz
3NXX84SpZ3bpM/MD4GwB7uBYemmjwbpHXTeglYNI=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EB4F53858D28
Subject: Re: Running bash script as SYSTEM from account with admin rights?
To: cygwin AT cygwin DOT com
References: <CANH4o6M0id2F7VCyzFWzje-BUd2oRGhp07PRNLJnEyzkYTbhSA AT mail DOT gmail DOT com>
<b4f5c1be-8b8d-6abc-6c13-c86537f4af43 AT t-online DOT de>
<CANH4o6P+x7VaB0W5kjxmd_4DOHi8GDuRmfyZfE3dNJ4YixTfzQ AT mail DOT gmail DOT com>
Message-ID: <80d1ad82-efce-79e7-5e49-f884f50035f6@t-online.de>
Date: Fri, 22 Sep 2023 14:39:08 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
SeaMonkey/2.53.16
MIME-Version: 1.0
In-Reply-To: <CANH4o6P+x7VaB0W5kjxmd_4DOHi8GDuRmfyZfE3dNJ4YixTfzQ@mail.gmail.com>
X-TOI-EXPURGATEID: 150726::1695386350-A95E9CF5-F82AB50F/0/0 CLEAN NORMAL
X-TOI-MSGID: 2ac321a9-d3b3-435d-b96a-0db590f4d5c7
X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_00, FREEMAIL_FROM,
KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A,
RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE,
TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Christian Franke via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Christian Franke <Christian DOT Franke AT t-online DOT de>
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 38MCdqVr024087 

Martin Wege via Cygwin wrote:
> On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
> <cygwin AT cygwin DOT com> wrote:
>> Martin Wege via Cygwin wrote:
>>> Hello,
>>>
>>> Does Cygwin have a tool to run a bash script as SYSTEM user if my
>>> account already have admin rights?
>> No (AFAIK).
>>
>> I use psexec from Sysinternals tools
>> (https://learn.microsoft.com/sysinternals/downloads/psexec)
>>
>> This starts a Cygwin terminal as SYSTEM user:
>>
>> psexec -s -i c:\cygwin\bin\mintty -
> Use of psexec is forbidden, as it triggers our security software (Cortex XDR).

Then it is possibly not recommended to do anything special that psexec 
could do, except if there exists an explicit permission :-)


> Windows has https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
> Can we use that to write a C wrapper program, to switch from current
> user with admin rights to the SYSTEM account, execute command and then
> exit(0) the wrapper?

Function from this API are also used by the setuid() emulation of Cygwin 
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). 
User switching relies on an access token returned by LogonUser() or 
similar. This requires a password or other credential which is (AFAIK) 
never available for the SYSTEM user.

Windows services are run as SYSTEM by default. Running the script with 
bash installed as a service (via cygrunsrv) may do the trick.

-- 
Regards,
Christian


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019