X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-2.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,KHOP_THREADED,RP_MATCHES_RCVD,SPF_HELO_PASS X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: Kurt Franke Subject: Re: Question about UAC and bash/cygwin Date: Thu, 16 Aug 2012 17:45:36 +0000 (UTC) Lines: 230 Message-ID: References: <502C6B1C DOT 5030900 AT cygwin DOT com> <20120816090344 DOT GD5536 AT calimero DOT vinschen DOT de> <20120816113834 DOT GF17546 AT calimero DOT vinschen DOT de> <20120816143205 DOT GI17546 AT calimero DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit User-Agent: Loom/3.14 (http://gmane.org/) X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Lord Laraby gmail.com> writes: > > On Thu, Aug 16, 2012Corinna Vinschen > > On Aug 16 08:48, Lord Laraby wrote: > >> On Thu, Aug 16, 2012 Corinna Vinschen wrote: > >> > On Aug 16 07:06, Lord Laraby wrote: > >> > >> See, here where I said I want to know if the user is in fact > >> "elevated"? I'm always a member of the Administrators Group (group > >> 544) even when I have no such privileges to "administer" the system. > >> > >> > What is it good for to have uid 0? You want to know if you have admin > >> > rights, so why don't you simply check for the admin group in the > >> > supplementary group list? > >> > >> The uid 0 feature is just a unixy way of indicating that my account > >> has already passed and accepted the UAC and I'm now running as a > >> normal admin (not a puny user). > >> > > Huh? When you're not running elevated, the admin group will not be in > > the list of supplementary groups. What other information do you need? > > What's the problem? > > > > > > Corinna > > Apparently, we're seeing completely different things then. Here's two > examples I ran one normally and one elevated. > > non-elevated: > master Master-PC ~ > $ cd /etc/at-spi2/ > > master Master-PC /etc/at-spi2 > $ id > uid=1001(master) gid=0(root) > groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none) > Note ------------^^^^^^^^^^^ > > master Master-PC /etc/at-spi2 > $ ls -l > total 4 > -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf > > master Master-PC /etc/at-spi2 > $ mv accessibility.conf accessibility.conf.tmp > mv: cannot move `accessibility.conf' to `accessibility.conf.tmp': > Permission denied > > ^^^ Not able to bypass ACL (but note being in group 0 (544) > > *** Now try in elevated mode > Elevated: > master Master-PC ~ > $ id > uid=1001(master) gid=0(root) > groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none) > > master Master-PC ~ > $ cd /etc/at-spi2/ > > master Master-PC /etc/at-spi2 > $ ls -l > total 4 > -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf > > master Master-PC /etc/at-spi2 > $ mv accessibility.conf accessibility.conf.sav > > ^^^ No error and successfully used admin provileges... > > master Master-PC /etc/at-spi2 > $ mv accessibility.conf.sav accessibility.conf > > ^^^ Again > > master Master-PC /etc/at-spi2 > $ ls -l > total 4 > -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf > > master Master-PC /etc/at-spi2 > $ id > uid=1001(master) gid=0(root) > groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none) > Note ------------^^^^^^^^^^^ > master Master-PC /etc/at-spi2 > ------------ > > See, root (545) is on my groups all the time - elevated or not. Unless > this is an error of some magnitude that it was inadvertently changed, > I cannot say. > > Needless to say, as you can see from the sample out above, I can only > do certain things elevated (admin-type tasks) regardless of having > root in my groups. > > Any suggestions on why I get different results? > > LL > Hi, I got a hint how to do this on this list some years ago by Brian Dessent. The function CheckTokenMembership() must be called for this liek done in the following program: ================= +++ CheckTokenMembership-Admin.c ================= #include #define _WIN32_WINNT 0x0500 #include int main (int argc, char **argv) { SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}; PSID AdministratorsGroup; BOOL isAdmin; if (AllocateAndInitializeSid (&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup) == 0 || CheckTokenMembership (NULL, AdministratorsGroup, &isAdmin) == 0) { printf ("failed with win32 error %lu\n", GetLastError ()); exit (2); } FreeSid (AdministratorsGroup); exit (!isAdmin); } ================= --- CheckTokenMembership-Admin.c ================= Its exit value indicates if admin token is active or not - speaking elevated or not: 0 : elevated 1 : not elevated I use a script around it for calling to allow handling for windows versions which doesn't support the CheckTokenMembership() function. If version is less than NT-6.0 or if the program is not found in path it uses the traditional methode of checking for Administrators group membership and returns with an exit value of to for "possible elevated" if membership exists and the windows version is NT-6.0 or greater ================= +++ isAdmin ================= #! /bin/bash # check if running with admin privileges # to make the check language independent use group id's not names # get the adminstrators group id's from /etc/group checking for lines # holding wellknown sid ':S-1-5-32-544:' ind second field is_NT=`uname | grep CYGWIN_NT | wc -l` if [ $is_NT -gt 0 ] then NT_version=`uname | cut -d- -f2` else NT_version="-1.0" fi NT_main_version=`echo $NT_version | cut -d. -f1` if [ $is_NT -gt 0 -a $NT_main_version -ge 5 ] then # executable calling CheckTokenMembership for the Admin group # which will also get correct result for non-elevated # Admin sessions when running under vista # first check if there type CheckTokenMembership-Admin >/dev/null 2>&1 found_CheckTokenMembership_Admin=$? if [ $found_CheckTokenMembership_Admin -eq 0 ] then CheckTokenMembership-Admin exit $? fi # if CheckTokenMembership-Admin is not found then just # use the standard test as for other Windows Versions fi hasAdminGroup=0 group_ids=`id -G` for i in `grep ':S-1-5-32-544:' /etc/group | cut -d: -f3` do for k in $group_ids do [ $k = $i ] && hasAdminGroup=$((hasAdminGroup+1)) done done if [ $hasAdminGroup -gt 0 ] then if [ $is_NT -gt 0 -a $NT_main_version -ge 6 ] then # cannot really determine if running with admin privileges # in windows vista when only checking the group membership # exit with another value to indicate this exit 2 else exit 0 fi else exit 1 fi ================= --- isAdmin ================= regards kf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple