On 2023-09-22 06:39, Christian Franke via Cygwin wrote:
Martin Wege via Cygwin wrote:
On Fri, Sep 22, 2023 at 9:42 AM Christian Franke via Cygwin
<cygwin@cygwin.com> wrote:
Martin Wege via Cygwin wrote:
Hello,
Does Cygwin have a tool to run a bash script as SYSTEM user if my
account already have admin rights?
No (AFAIK).
I use psexec from Sysinternals tools
(https://learn.microsoft.com/sysinternals/downloads/psexec)
This starts a Cygwin terminal as SYSTEM user:
psexec -s -i c:\cygwin\bin\mintty -
Use of psexec is forbidden, as it triggers our security software (Cortex XDR).
Then it is possibly not recommended to do anything special that psexec could do,
except if there exists an explicit permission :-)
Windows has
https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
Can we use that to write a C wrapper program, to switch from current
user with admin rights to the SYSTEM account, execute command and then
exit(0) the wrapper?
Function from this API are also used by the setuid() emulation of Cygwin
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). User
switching relies on an access token returned by LogonUser() or similar. This
requires a password or other credential which is (AFAIK) never available for the
SYSTEM user.
Windows services are run as SYSTEM by default. Running the script with bash
installed as a service (via cygrunsrv) may do the trick.
For elevated automated scripts, such as service startup, shutdown, and cleanup,
I add privileged jobs as Scheduled Tasks under account SYSTEM, whether logged in
or not, with highest privileges, command c:\cygwin\bin\dash arguments
/usr/local/bin/....sh.
For interactive elevated commands (normally Windows commands), such as firewall
rules for testing network packages like curl, I use an auto-elevate wrapper as
in the attached script.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry@ECHO on
::%COMSPEC% /C
:: auto-elevate-admin-script.cmd - auto elevate Windows command script with
admin rights
SET SHELLEX=javascript^: var shell = new ActiveXObject^('shell.application'^)^;
shell.ShellExecute
SET ELEVATE='', 'runas', 1^)^; close^(^)^;
SET WD=%~dp0
:: add non-blank arg 1 to log name
IF ""=="%1" (
SET LOG=%WD%%~n0.log
) ELSE (
SET LOG=%WD%%~n0-%1.log
)
:: check or elevate - see https://stackoverflow.com/a/37669661
NET FILE >NUL 2>NUL
IF ERRORLEVEL 1 (
CD /d %WD%
mshta "%SHELLEX%('%~nx0', '%*', %ELEVATE%"
EXIT /b
)
CD /d %WD%
...
:: take ownership and grant user rights to log
IF EXIST %LOG% (
takeown /f %LOG%
icacls %LOG% /grant %USERNAME%:F
)
EXIT /b
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
