Question about UAC and bash/cygwin
Kurt Franke
Kurt-Franke@web.de
Thu Aug 16 18:23:00 GMT 2012
Lord Laraby <lord.laraby <at> gmail.com> writes:
>
> On Thu, Aug 16, 2012Corinna Vinschen
> > On Aug 16 08:48, Lord Laraby wrote:
> >> On Thu, Aug 16, 2012 Corinna Vinschen wrote:
> >> > On Aug 16 07:06, Lord Laraby wrote:
> >>
> >> See, here where I said I want to know if the user is in fact
> >> "elevated"? I'm always a member of the Administrators Group (group
> >> 544) even when I have no such privileges to "administer" the system.
> >>
> >> > What is it good for to have uid 0? You want to know if you have admin
> >> > rights, so why don't you simply check for the admin group in the
> >> > supplementary group list?
> >>
> >> The uid 0 feature is just a unixy way of indicating that my account
> >> has already passed and accepted the UAC and I'm now running as a
> >> normal admin (not a puny user).
> >>
> > Huh? When you're not running elevated, the admin group will not be in
> > the list of supplementary groups. What other information do you need?
> > What's the problem?
> >
> >
> > Corinna
>
> Apparently, we're seeing completely different things then. Here's two
> examples I ran one normally and one elevated.
>
> non-elevated:
> master <at> Master-PC ~
> $ cd /etc/at-spi2/
>
> master <at> Master-PC /etc/at-spi2
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> Note ------------^^^^^^^^^^^
>
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
>
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf accessibility.conf.tmp
> mv: cannot move `accessibility.conf' to `accessibility.conf.tmp':
> Permission denied
>
> ^^^ Not able to bypass ACL (but note being in group 0 (544)
>
> *** Now try in elevated mode
> Elevated:
> master <at> Master-PC ~
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
>
> master <at> Master-PC ~
> $ cd /etc/at-spi2/
>
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
>
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf accessibility.conf.sav
>
> ^^^ No error and successfully used admin provileges...
>
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf.sav accessibility.conf
>
> ^^^ Again
>
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
>
> master <at> Master-PC /etc/at-spi2
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> Note ------------^^^^^^^^^^^
> master <at> Master-PC /etc/at-spi2
> ------------
>
> See, root (545) is on my groups all the time - elevated or not. Unless
> this is an error of some magnitude that it was inadvertently changed,
> I cannot say.
>
> Needless to say, as you can see from the sample out above, I can only
> do certain things elevated (admin-type tasks) regardless of having
> root in my groups.
>
> Any suggestions on why I get different results?
>
> LL
>
Hi,
I got a hint how to do this on this list some years ago by Brian Dessent.
The function CheckTokenMembership() must be called for this liek done in
the following program:
================= +++ CheckTokenMembership-Admin.c =================
#include <stdio.h>
#define _WIN32_WINNT 0x0500
#include <windows.h>
int main (int argc, char **argv)
{
SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
PSID AdministratorsGroup;
BOOL isAdmin;
if (AllocateAndInitializeSid (&NtAuthority, 2,
SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0, &AdministratorsGroup) == 0 ||
CheckTokenMembership (NULL, AdministratorsGroup, &isAdmin) == 0)
{
printf ("failed with win32 error %lu\n", GetLastError ());
exit (2);
}
FreeSid (AdministratorsGroup);
exit (!isAdmin);
}
================= --- CheckTokenMembership-Admin.c =================
Its exit value indicates if admin token is active or not - speaking
elevated or not:
0 : elevated
1 : not elevated
I use a script around it for calling to allow handling for windows
versions which doesn't support the CheckTokenMembership() function.
If version is less than NT-6.0 or if the program is not found in path
it uses the traditional methode of checking for Administrators group
membership and returns with an exit value of to for "possible elevated"
if membership exists and the windows version is NT-6.0 or greater
================= +++ isAdmin =================
#! /bin/bash
# check if running with admin privileges
# to make the check language independent use group id's not names
# get the adminstrators group id's from /etc/group checking for lines
# holding wellknown sid ':S-1-5-32-544:' ind second field
is_NT=`uname | grep CYGWIN_NT | wc -l`
if [ $is_NT -gt 0 ]
then
NT_version=`uname | cut -d- -f2`
else
NT_version="-1.0"
fi
NT_main_version=`echo $NT_version | cut -d. -f1`
if [ $is_NT -gt 0 -a $NT_main_version -ge 5 ]
then
# executable calling CheckTokenMembership for the Admin group
# which will also get correct result for non-elevated
# Admin sessions when running under vista
# first check if there
type CheckTokenMembership-Admin >/dev/null 2>&1
found_CheckTokenMembership_Admin=$?
if [ $found_CheckTokenMembership_Admin -eq 0 ]
then
CheckTokenMembership-Admin
exit $?
fi
# if CheckTokenMembership-Admin is not found then just
# use the standard test as for other Windows Versions
fi
hasAdminGroup=0
group_ids=`id -G`
for i in `grep ':S-1-5-32-544:' /etc/group | cut -d: -f3`
do
for k in $group_ids
do
[ $k = $i ] && hasAdminGroup=$((hasAdminGroup+1))
done
done
if [ $hasAdminGroup -gt 0 ]
then
if [ $is_NT -gt 0 -a $NT_main_version -ge 6 ]
then
# cannot really determine if running with admin privileges
# in windows vista when only checking the group membership
# exit with another value to indicate this
exit 2
else
exit 0
fi
else
exit 1
fi
================= --- isAdmin =================
regards
kf
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list