X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C455F3858C2B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1695392338;
	bh=K/rkrxthp+oIbpY0qMW+3f4BxaGUHu4TzqWEctknB0c=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=JnAkMz6vNRcD//AHIdC1QGbqfr9MtXeMd8Jx1GTHp7KKGTuio3VRJbexYWloVUx+X
	 yMtmqmUcr7zGcKeWzliwsuIyG2K2uH6AEt4Q/SRTkoHFIA3Mtky6vnPkju9f3s29vU
	 mALFZIkqHcu8Wnivfkw0/kHJd/XFowBqlLfQVBwk=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 19F193858D39
X-Authority-Analysis: v=2.4 cv=J8G5USrS c=1 sm=1 tr=0 ts=650da241
 a=DxHlV3/gbUaP7LOF0QAmaA==:117 a=DxHlV3/gbUaP7LOF0QAmaA==:17
 a=r77TgQKjGQsHNAKrUKIA:9 a=w_pzkKWiAAAA:8 a=yMhMjlubAAAA:8
 a=g_kJECfkZGpoqimP_w0A:9 a=QEXdDO2ut3YA:10 a=OO2XiV6ZNdAA:10 a=uPZiAMpXAAAA:8
 a=7n33nd2MS93e4-l-dXIA:9 a=m-Z_27IZkzAA:10 a=sRI3_1zDfAgwuvI8zelB:22
Content-Type: multipart/mixed; boundary="------------hGREwtVTW0HUQZdMumdkDAvR"
Message-ID: <951d52d0-a2c2-8e98-103f-da5af50cd114@Shaw.ca>
Date: Fri, 22 Sep 2023 08:18:40 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: Running bash script as SYSTEM from account with admin rights?
Content-Language: en-CA
To: cygwin AT cygwin DOT com
References: <CANH4o6M0id2F7VCyzFWzje-BUd2oRGhp07PRNLJnEyzkYTbhSA AT mail DOT gmail DOT com>
 <b4f5c1be-8b8d-6abc-6c13-c86537f4af43 AT t-online DOT de>
 <CANH4o6P+x7VaB0W5kjxmd_4DOHi8GDuRmfyZfE3dNJ4YixTfzQ AT mail DOT gmail DOT com>
 <80d1ad82-efce-79e7-5e49-f884f50035f6 AT t-online DOT de>
Organization: Inglis
In-Reply-To: <80d1ad82-efce-79e7-5e49-f884f50035f6@t-online.de>
X-CMAE-Envelope: MS4xfJAchvl8TlcXQ7l0OpwcWw/vdiOo6+eAdqod8m8hbhZg2hfwsNITtaxijkxFVivjzmGsn+PjsupgdhiEnGV/aziJDprCspKN+2RV6TdFnYr8XIBfX0sp
 yohghrmv3l2W7g5ORVu+ibYY7yv/j0m+ftzLR8ET1FldcHz3yljTPAhcXdFGovoTO1G7+x27eBRb1zxiiuKtcst94WXlCZJelIGOKcYBxA9QMTcXy8X/81vq
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_LOW,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Brian Inglis <Brian DOT Inglis AT Shaw DOT ca>
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

This is a multi-part message in MIME format.
--------------hGREwtVTW0HUQZdMumdkDAvR
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 2023-09-22 06:39, Christian Franke via Cygwin wrote:
> Martin Wege via Cygwin wrote:
>> On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
>> <cygwin AT cygwin DOT com> wrote:
>>> Martin Wege via Cygwin wrote:
>>>> Hello,
>>>>
>>>> Does Cygwin have a tool to run a bash script as SYSTEM user if my
>>>> account already have admin rights?
>>> No (AFAIK).
>>>
>>> I use psexec from Sysinternals tools
>>> (https://learn.microsoft.com/sysinternals/downloads/psexec)
>>>
>>> This starts a Cygwin terminal as SYSTEM user:
>>>
>>> psexec -s -i c:\cygwin\bin\mintty -
>> Use of psexec is forbidden, as it triggers our security software (Cortex XDR).
> 
> Then it is possibly not recommended to do anything special that psexec could do, 
> except if there exists an explicit permission :-)
> 
> 
>> Windows has 
>> https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
>> Can we use that to write a C wrapper program, to switch from current
>> user with admin rights to the SYSTEM account, execute command and then
>> exit(0) the wrapper?
> 
> Function from this API are also used by the setuid() emulation of Cygwin 
> (https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). User 
> switching relies on an access token returned by LogonUser() or similar. This 
> requires a password or other credential which is (AFAIK) never available for the 
> SYSTEM user.
> 
> Windows services are run as SYSTEM by default. Running the script with bash 
> installed as a service (via cygrunsrv) may do the trick.

For elevated automated scripts, such as service startup, shutdown, and cleanup, 
I add privileged jobs as Scheduled Tasks under account SYSTEM, whether logged in 
or not, with highest privileges, command c:\cygwin\bin\dash arguments 
/usr/local/bin/....sh.

For interactive elevated commands (normally Windows commands), such as firewall 
rules for testing network packages like curl, I use an auto-elevate wrapper as 
in the attached script.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry
--------------hGREwtVTW0HUQZdMumdkDAvR
Content-Type: text/plain; charset=UTF-8;
 name="auto-elevate-admin-script-cmd.txt"
Content-Disposition: attachment; filename="auto-elevate-admin-script-cmd.txt"
Content-Transfer-Encoding: base64

QEVDSE8gb24KOjolQ09NU1BFQyUgL0MKOjogYXV0by1lbGV2YXRlLWFkbWluLXNjcmlwdC5j
bWQgLSBhdXRvIGVsZXZhdGUgV2luZG93cyBjb21tYW5kIHNjcmlwdCB3aXRoIGFkbWluIHJp
Z2h0cwoKU0VUIFNIRUxMRVg9amF2YXNjcmlwdF46IHZhciBzaGVsbCA9IG5ldyBBY3RpdmVY
T2JqZWN0Xignc2hlbGwuYXBwbGljYXRpb24nXileOyBzaGVsbC5TaGVsbEV4ZWN1dGUKU0VU
IEVMRVZBVEU9JycsICdydW5hcycsIDFeKV47IGNsb3NlXiheKV47ClNFVCBXRD0lfmRwMAoK
OjogYWRkIG5vbi1ibGFuayBhcmcgMSB0byBsb2cgbmFtZQpJRiAiIj09IiUxIiAoCiAgICBT
RVQgTE9HPSVXRCUlfm4wLmxvZwopIEVMU0UgKAogICAgU0VUIExPRz0lV0QlJX5uMC0lMS5s
b2cKKQoKOjogY2hlY2sgb3IgZWxldmF0ZSAtIHNlZSBodHRwczovL3N0YWNrb3ZlcmZsb3cu
Y29tL2EvMzc2Njk2NjEKTkVUIEZJTEUgPk5VTCAyPk5VTAoKSUYgRVJST1JMRVZFTCAxICgK
ICAgIENEIC9kICVXRCUKICAgIG1zaHRhICIlU0hFTExFWCUoJyV+bngwJywgJyUqJywgJUVM
RVZBVEUlIgogICAgRVhJVCAvYgopCgpDRCAvZCAlV0QlCgouLi4KCjo6IHRha2Ugb3duZXJz
aGlwIGFuZCBncmFudCB1c2VyIHJpZ2h0cyB0byBsb2cKSUYgRVhJU1QgJUxPRyUgKAogICAg
dGFrZW93biAvZiAlTE9HJQogICAgaWNhY2xzICVMT0clIC9ncmFudCAlVVNFUk5BTUUlOkYK
KQoKRVhJVCAvYgoK

--------------hGREwtVTW0HUQZdMumdkDAvR
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

--------------hGREwtVTW0HUQZdMumdkDAvR--