| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org C455F3858C2B |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1695392338; | |
| bh=K/rkrxthp+oIbpY0qMW+3f4BxaGUHu4TzqWEctknB0c=; | |
| h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=JnAkMz6vNRcD//AHIdC1QGbqfr9MtXeMd8Jx1GTHp7KKGTuio3VRJbexYWloVUx+X | |
| yMtmqmUcr7zGcKeWzliwsuIyG2K2uH6AEt4Q/SRTkoHFIA3Mtky6vnPkju9f3s29vU | |
| mALFZIkqHcu8Wnivfkw0/kHJd/XFowBqlLfQVBwk= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org 19F193858D39 |
| X-Authority-Analysis: | v=2.4 cv=J8G5USrS c=1 sm=1 tr=0 ts=650da241 |
| a=DxHlV3/gbUaP7LOF0QAmaA==:117 a=DxHlV3/gbUaP7LOF0QAmaA==:17 | |
| a=r77TgQKjGQsHNAKrUKIA:9 a=w_pzkKWiAAAA:8 a=yMhMjlubAAAA:8 | |
| a=g_kJECfkZGpoqimP_w0A:9 a=QEXdDO2ut3YA:10 a=OO2XiV6ZNdAA:10 a=uPZiAMpXAAAA:8 | |
| a=7n33nd2MS93e4-l-dXIA:9 a=m-Z_27IZkzAA:10 a=sRI3_1zDfAgwuvI8zelB:22 | |
| Message-ID: | <951d52d0-a2c2-8e98-103f-da5af50cd114@Shaw.ca> |
| Date: | Fri, 22 Sep 2023 08:18:40 -0600 |
| MIME-Version: | 1.0 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 |
| Thunderbird/102.15.1 | |
| Subject: | Re: Running bash script as SYSTEM from account with admin rights? |
| To: | cygwin AT cygwin DOT com |
| References: | <CANH4o6M0id2F7VCyzFWzje-BUd2oRGhp07PRNLJnEyzkYTbhSA AT mail DOT gmail DOT com> |
| <b4f5c1be-8b8d-6abc-6c13-c86537f4af43 AT t-online DOT de> | |
| <CANH4o6P+x7VaB0W5kjxmd_4DOHi8GDuRmfyZfE3dNJ4YixTfzQ AT mail DOT gmail DOT com> | |
| <80d1ad82-efce-79e7-5e49-f884f50035f6 AT t-online DOT de> | |
| Organization: | Inglis |
| In-Reply-To: | <80d1ad82-efce-79e7-5e49-f884f50035f6@t-online.de> |
| X-CMAE-Envelope: | MS4xfJAchvl8TlcXQ7l0OpwcWw/vdiOo6+eAdqod8m8hbhZg2hfwsNITtaxijkxFVivjzmGsn+PjsupgdhiEnGV/aziJDprCspKN+2RV6TdFnYr8XIBfX0sp |
| yohghrmv3l2W7g5ORVu+ibYY7yv/j0m+ftzLR8ET1FldcHz3yljTPAhcXdFGovoTO1G7+x27eBRb1zxiiuKtcst94WXlCZJelIGOKcYBxA9QMTcXy8X/81vq | |
| X-Spam-Status: | No, score=-4.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, |
| DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, | |
| SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Brian Inglis via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Brian Inglis <Brian DOT Inglis AT Shaw DOT ca> |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
This is a multi-part message in MIME format.
--------------hGREwtVTW0HUQZdMumdkDAvR
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
On 2023-09-22 06:39, Christian Franke via Cygwin wrote:
> Martin Wege via Cygwin wrote:
>> On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
>> <cygwin AT cygwin DOT com> wrote:
>>> Martin Wege via Cygwin wrote:
>>>> Hello,
>>>>
>>>> Does Cygwin have a tool to run a bash script as SYSTEM user if my
>>>> account already have admin rights?
>>> No (AFAIK).
>>>
>>> I use psexec from Sysinternals tools
>>> (https://learn.microsoft.com/sysinternals/downloads/psexec)
>>>
>>> This starts a Cygwin terminal as SYSTEM user:
>>>
>>> psexec -s -i c:\cygwin\bin\mintty -
>> Use of psexec is forbidden, as it triggers our security software (Cortex XDR).
>
> Then it is possibly not recommended to do anything special that psexec could do,
> except if there exists an explicit permission :-)
>
>
>> Windows has
>> https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
>> Can we use that to write a C wrapper program, to switch from current
>> user with admin rights to the SYSTEM account, execute command and then
>> exit(0) the wrapper?
>
> Function from this API are also used by the setuid() emulation of Cygwin
> (https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). User
> switching relies on an access token returned by LogonUser() or similar. This
> requires a password or other credential which is (AFAIK) never available for the
> SYSTEM user.
>
> Windows services are run as SYSTEM by default. Running the script with bash
> installed as a service (via cygrunsrv) may do the trick.
For elevated automated scripts, such as service startup, shutdown, and cleanup,
I add privileged jobs as Scheduled Tasks under account SYSTEM, whether logged in
or not, with highest privileges, command c:\cygwin\bin\dash arguments
/usr/local/bin/....sh.
For interactive elevated commands (normally Windows commands), such as firewall
rules for testing network packages like curl, I use an auto-elevate wrapper as
in the attached script.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
--------------hGREwtVTW0HUQZdMumdkDAvR
Content-Type: text/plain; charset=UTF-8;
name="auto-elevate-admin-script-cmd.txt"
Content-Disposition: attachment; filename="auto-elevate-admin-script-cmd.txt"
Content-Transfer-Encoding: base64
QEVDSE8gb24KOjolQ09NU1BFQyUgL0MKOjogYXV0by1lbGV2YXRlLWFkbWluLXNjcmlwdC5j
bWQgLSBhdXRvIGVsZXZhdGUgV2luZG93cyBjb21tYW5kIHNjcmlwdCB3aXRoIGFkbWluIHJp
Z2h0cwoKU0VUIFNIRUxMRVg9amF2YXNjcmlwdF46IHZhciBzaGVsbCA9IG5ldyBBY3RpdmVY
T2JqZWN0Xignc2hlbGwuYXBwbGljYXRpb24nXileOyBzaGVsbC5TaGVsbEV4ZWN1dGUKU0VU
IEVMRVZBVEU9JycsICdydW5hcycsIDFeKV47IGNsb3NlXiheKV47ClNFVCBXRD0lfmRwMAoK
OjogYWRkIG5vbi1ibGFuayBhcmcgMSB0byBsb2cgbmFtZQpJRiAiIj09IiUxIiAoCiAgICBT
RVQgTE9HPSVXRCUlfm4wLmxvZwopIEVMU0UgKAogICAgU0VUIExPRz0lV0QlJX5uMC0lMS5s
b2cKKQoKOjogY2hlY2sgb3IgZWxldmF0ZSAtIHNlZSBodHRwczovL3N0YWNrb3ZlcmZsb3cu
Y29tL2EvMzc2Njk2NjEKTkVUIEZJTEUgPk5VTCAyPk5VTAoKSUYgRVJST1JMRVZFTCAxICgK
ICAgIENEIC9kICVXRCUKICAgIG1zaHRhICIlU0hFTExFWCUoJyV+bngwJywgJyUqJywgJUVM
RVZBVEUlIgogICAgRVhJVCAvYgopCgpDRCAvZCAlV0QlCgouLi4KCjo6IHRha2Ugb3duZXJz
aGlwIGFuZCBncmFudCB1c2VyIHJpZ2h0cyB0byBsb2cKSUYgRVhJU1QgJUxPRyUgKAogICAg
dGFrZW93biAvZiAlTE9HJQogICAgaWNhY2xzICVMT0clIC9ncmFudCAlVVNFUk5BTUUlOkYK
KQoKRVhJVCAvYgoK
--------------hGREwtVTW0HUQZdMumdkDAvR
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
--------------hGREwtVTW0HUQZdMumdkDAvR--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |