Martin Wege via Cygwin wrote:
On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
<cygwin@cygwin.com> wrote:
Martin Wege via Cygwin wrote:
Hello,
Does Cygwin have a tool to run a bash script as SYSTEM user if my
account already have admin rights?
No (AFAIK).
I use psexec from Sysinternals tools
(https://learn.microsoft.com/sysinternals/downloads/psexec)
This starts a Cygwin terminal as SYSTEM user:
psexec -s -i c:\cygwin\bin\mintty -
Use of psexec is forbidden, as it triggers our security software (Cortex XDR).
Then it is possibly not recommended to do anything special that psexec
could do, except if there exists an explicit permission :-)
Windows has
https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
Can we use that to write a C wrapper program, to switch from current
user with admin rights to the SYSTEM account, execute command and then
exit(0) the wrapper?
Function from this API are also used by the setuid() emulation of Cygwin
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview).
User switching relies on an access token returned by LogonUser() or
similar. This requires a password or other credential which is (AFAIK)
never available for the SYSTEM user.
Windows services are run as SYSTEM by default. Running the script with
bash installed as a service (via cygrunsrv) may do the trick.
--
Regards,
Christian
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
