This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Question about UAC and bash/cygwin


Lord Laraby <lord.laraby <at> gmail.com> writes:

> 
> On Thu, Aug 16, 2012Corinna Vinschen
> > On Aug 16 08:48, Lord Laraby wrote:
> >> On Thu, Aug 16, 2012 Corinna Vinschen wrote:
> >> > On Aug 16 07:06, Lord Laraby wrote:
> >>
> >> See, here where I said I want to know if the user is in fact
> >> "elevated"?  I'm always a member of the Administrators Group (group
> >> 544) even when I have no such privileges to "administer" the system.
> >>
> >> > What is it good for to have uid 0?  You want to know if you have admin
> >> > rights, so why don't you simply check for the admin group in the
> >> > supplementary group list?
> >>
> >> The uid 0 feature is just a unixy way of indicating that my account
> >> has already passed and accepted the UAC and I'm now running as a
> >> normal admin (not a puny user).
> >>
> > Huh?  When you're not running elevated, the admin group will not be in
> > the list of supplementary groups.  What other information do you need?
> > What's the problem?
> >
> >
> > Corinna
> 
> Apparently, we're seeing completely different things then. Here's two
> examples I ran one normally and one elevated.
> 
> non-elevated:
> master <at> Master-PC ~
> $ cd /etc/at-spi2/
> 
> master <at> Master-PC /etc/at-spi2
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> Note ------------^^^^^^^^^^^
> 
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
> 
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf accessibility.conf.tmp
> mv: cannot move `accessibility.conf' to `accessibility.conf.tmp':
> Permission denied
> 
> ^^^ Not able to bypass ACL (but note being in group 0 (544)
> 
> *** Now try in elevated mode
> Elevated:
> master <at> Master-PC ~
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> 
> master <at> Master-PC ~
> $ cd /etc/at-spi2/
> 
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
> 
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf accessibility.conf.sav
> 
> ^^^ No error and successfully used admin provileges...
> 
> master <at> Master-PC /etc/at-spi2
> $ mv accessibility.conf.sav accessibility.conf
> 
> ^^^ Again
> 
> master <at> Master-PC /etc/at-spi2
> $ ls -l
> total 4
> -rw-r--r-- 1 admin none 1335 May 15 03:27 accessibility.conf
> 
> master <at> Master-PC /etc/at-spi2
> $ id
> uid=1001(master) gid=0(root)
> groups=0(root),545(users),1007(hlplibrupdaters),1000(homegrp),513(none)
> Note ------------^^^^^^^^^^^
> master <at> Master-PC /etc/at-spi2
> ------------
> 
> See, root (545) is on my groups all the time - elevated or not. Unless
> this is an error of some magnitude that it was inadvertently changed,
> I cannot say.
> 
> Needless to say, as you can see from the sample out above, I can only
> do certain things elevated (admin-type tasks) regardless of having
> root in my groups.
> 
> Any suggestions on why I get different results?
> 
> LL
> 

Hi,

I got a hint how to do this on this list some years ago by Brian Dessent.
The function CheckTokenMembership() must be called for this liek done in 
the following program:

================= +++ CheckTokenMembership-Admin.c =================

#include <stdio.h>
#define _WIN32_WINNT 0x0500
#include <windows.h>

int main (int argc, char **argv)
{
  SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
  PSID AdministratorsGroup;
  BOOL isAdmin;

  if (AllocateAndInitializeSid (&NtAuthority, 2,
          SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
          0, 0, 0, 0, 0, 0, &AdministratorsGroup) == 0 ||
      CheckTokenMembership (NULL, AdministratorsGroup, &isAdmin) == 0)
    {
      printf ("failed with win32 error %lu\n", GetLastError ());
      exit (2);
    }

  FreeSid (AdministratorsGroup);
  exit (!isAdmin);
}

================= --- CheckTokenMembership-Admin.c =================

Its exit value indicates if admin token is active or not - speaking 
elevated or not:

0 : elevated
1 : not elevated



I use a script around it for calling to allow handling for windows 
versions which doesn't support the CheckTokenMembership() function.
If version is less than NT-6.0 or if the program is not found in path
it uses the traditional methode of checking for Administrators group
membership and returns with an exit value of to for "possible elevated"
if membership exists and the windows version is NT-6.0 or greater


================= +++ isAdmin =================
#! /bin/bash

# check if running with admin privileges
# to make the check language independent use group id's not names
# get the adminstrators group id's from /etc/group checking for lines
# holding wellknown sid ':S-1-5-32-544:' ind second field

is_NT=`uname | grep CYGWIN_NT | wc -l`

if [ $is_NT -gt 0 ]
then
  NT_version=`uname | cut -d- -f2`
else
  NT_version="-1.0"
fi

NT_main_version=`echo $NT_version | cut -d. -f1`

if [ $is_NT -gt 0 -a $NT_main_version -ge 5 ]
then
  # executable calling CheckTokenMembership for the Admin group
  # which will also get correct result for non-elevated
  # Admin sessions when running under vista 
  # first check if there
  type CheckTokenMembership-Admin >/dev/null 2>&1
  found_CheckTokenMembership_Admin=$?
  if [ $found_CheckTokenMembership_Admin -eq 0 ]
  then
    CheckTokenMembership-Admin
    exit $?
  fi
  # if CheckTokenMembership-Admin is not found then just
  # use the standard test as for other Windows Versions
fi

hasAdminGroup=0
group_ids=`id -G`
for i in `grep ':S-1-5-32-544:' /etc/group | cut -d: -f3`
do
  for k in $group_ids
  do
    [ $k = $i ] && hasAdminGroup=$((hasAdminGroup+1))
  done
done

if [ $hasAdminGroup -gt 0 ]
then
  if [ $is_NT -gt 0 -a $NT_main_version -ge 6 ]
  then
    # cannot really determine if running with admin privileges
    # in windows vista when only checking the group membership
    # exit with another value to indicate this
    exit 2
  else
    exit 0
  fi
else
  exit 1
fi


================= --- isAdmin =================



regards

kf











--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]