X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=qEsP2Sl7C/Pz3K1d
	dI8RhjJUlzNWKlWllRSahoQ2IGhQ3q3Mj94PgJRHKg3exX5vJueBjv7h4g+KN7Cm
	KCo52OBUCRHDWd4TVrDuBInzvj8ck1kbtAM05ZnQ3PBxp6cvMxolz6Z+DNp4d4pE
	JUErZmQZcueMI77hZ7QcwBxFy1g=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=uxcowAAiABgOblrI4oG+jj
	RPkow=; b=V45bUwd8xa4SD07sfy4I+qwrAgA5mXBUcf9lLLVFYt95IuLBbiSSCl
	vjNcD9XcwqLLh/d+IK2tevDcMvRcXdiyvUIhGioCMVWoeZz7LYqvXbUw0yvc77v4
	IHD/TRyBhQbsLCdCie8qgl9jqaKdyqnRyDVpG0rjA3wCRTedT8C/o=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.7 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_BODY_URIBL_PCCC,KAM_FROM_URIBL_PCCC,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2
X-HELO: smtp.ht-systems.ru
Date: Thu, 5 Feb 2015 22:25:40 +0300
From: Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To: cygwin AT cygwin DOT com
Message-ID: <824133578.20150205222540@yandex.ru>
To: Andrew Schulman <schulman DOT andrew AT epa DOT gov>, cygwin AT cygwin DOT com
Subject: Re: how to determine if a shell is running as Administrator?
In-Reply-To: <8us6da1mc84clhtt2hgsliu2tor8mddcga@4ax.com>
References: <slc6da9aq8g9e7h0aegafhfa86eahfd53p AT 4ax DOT com>   <20150205100349 DOT GS2635 AT calimero DOT vinschen DOT de> <87siekhaz6 DOT fsf AT Rainer DOT invalid>  <20150205113926 DOT GT2635 AT calimero DOT vinschen DOT de>  <8us6da1mc84clhtt2hgsliu2tor8mddcga AT 4ax DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Greetings, Andrew Schulman!

>> However, the user token of such a user still contains the Administrators
>> group (I just tested it) and thus the `id -G' test for 544 (or 0 with
>> the old "root" entry in /etc/group) is still valid.

> OK, I see.  Yes, when I Run as administrator I have

> $ id -G
> 513 114 1007 1001 0 545 4 66049 11 15 113 4095 66048 262154 405504

> which includes 0.

> So it seems that the test for group 544 or 0 is the way to tell if the user has
> admin rights.

544 only.
If you see group 0, you should notify the user that, either
1. Their Cygwin is outdated, or
2. They have /etc/group file that supersede normal group resolution.

There MAY be valid reasons to have /etc/group, but in no way it should
override well-known SID's.

> If you want to know (I don't) specifically if they got those
> rights from Run as administrator, the presence of group 114 will tell you that,
> but only in newer OSes.

It doesn't matter really.
As long as the user token have group 544, you can expect that they do have the
powers in the system.
It is not the only available way to gain such power (i.e. the test for having
SeBackupPrivilege is more reliable), but from shell, this is probably the only
straightforward one.

P.S.

$ uname -a
CYGWIN_NT-6.1 daemon2 1.7.34(0.285/5/3) 2015-02-04 12:14 x86_64 Cygwin

regular:$ id -G
197121 545 4 66049 11 15 113 4095 66048 262154 401408

elevated:$ id -G
197121 114 544 545 4 66049 11 15 113 4095 66048 262154 405504

P.P.S.
PS1_TAIL="$(
  x="$"
  for group in $(id -G); do 
  {
    test $group -eq 544 && { x="#"; break; }
    test $group -eq 0 && { x="Please remove well-known SID overrides from your /etc/group file#"; break; }
  }
  done
  echo $x
  )"
if [ "$color_prompt" = yes ]; then
    PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\033[0m\007\]\n$PS1_TAIL '
else
    PS1='\u@\h:\w\007\n$PS1_TAIL '
fi
unset color_prompt force_color_prompt


--
WBR,
Andrey Repin (anrdaemon AT yandex DOT ru) 05.02.2015, <21:02>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple