X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A85D3857C66 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1695386391; bh=3tW0WWvWI22VBif0Lhwuzw/Fc4CNBtF3iwTgaE5naZ4=; h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=EIarpKa5722xWy/uZ1n9a380aEPvA0UIGt8HJglrwg9fxn96o+AYbHbWImOeVoP4/ RkTXk+QdMDrGCrtBNUMtQFG5Aj2IcmTCzt0/gp4c8Dp2OKfO1XZJYkHTo9PosBAPCz 3NXX84SpZ3bpM/MD4GwB7uBYemmjwbpHXTeglYNI= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EB4F53858D28 Subject: Re: Running bash script as SYSTEM from account with admin rights? To: cygwin AT cygwin DOT com References:

Message-ID: <80d1ad82-efce-79e7-5e49-f884f50035f6@t-online.de> Date: Fri, 22 Sep 2023 14:39:08 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 SeaMonkey/2.53.16 MIME-Version: 1.0 In-Reply-To: X-TOI-EXPURGATEID: 150726::1695386350-A95E9CF5-F82AB50F/0/0 CLEAN NORMAL X-TOI-MSGID: 2ac321a9-d3b3-435d-b96a-0db590f4d5c7 X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_00, FREEMAIL_FROM, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Christian Franke via Cygwin Reply-To: Christian Franke Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 38MCdqVr024087 Martin Wege via Cygwin wrote: > On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin > wrote: >> Martin Wege via Cygwin wrote: >>> Hello, >>> >>> Does Cygwin have a tool to run a bash script as SYSTEM user if my >>> account already have admin rights? >> No (AFAIK). >> >> I use psexec from Sysinternals tools >> (https://learn.microsoft.com/sysinternals/downloads/psexec) >> >> This starts a Cygwin terminal as SYSTEM user: >> >> psexec -s -i c:\cygwin\bin\mintty - > Use of psexec is forbidden, as it triggers our security software (Cortex XDR). Then it is possibly not recommended to do anything special that psexec could do, except if there exists an explicit permission :-) > Windows has https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser > Can we use that to write a C wrapper program, to switch from current > user with admin rights to the SYSTEM account, execute command and then > exit(0) the wrapper? Function from this API are also used by the setuid() emulation of Cygwin (https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). User switching relies on an access token returned by LogonUser() or similar. This requires a password or other credential which is (AFAIK) never available for the SYSTEM user. Windows services are run as SYSTEM by default. Running the script with bash installed as a service (via cygrunsrv) may do the trick. -- Regards, Christian -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple