我的常规用户帐户是管理员组的一部分。
当我使用 mintty 启动 cygwin shell 时,我没有获得与我的组集中的管理员组相对应的组名称。这是一组组。
gid=197121(None) groups=197121(None),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),
11(Authenticated Users),15(This Organization),113(Local account),
66048(LOCAL),262154(NTLM Authentication),401408(Medium Mandatory Level)
当我使用“以管理员身份运行”选项启动 cygwin shell 时,我得到与我的组集中的管理员组相对应的组名称。这是一组组。
gid=197121(None) groups=197121(None),114(Local account and member of Administrators group),
544(Administrators),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),
11(Authenticated Users),15(This Organization),113(Local account),
66048(LOCAL),262154(NTLM Authentication),405504(High Mandatory Level)
当我启动 cygwin shell 而不使用“以管理员身份运行”时,我可以做些什么来获取我的组集中的组 114(本地帐户和管理员组成员)和 544(管理员)吗?
答案1
你可以通过对文件进行一些调整来伪造它/etc/passwd。上面提到了这种可能性cygwin 邮件列表今年早些时候:
Re: Change PS1 when run as administrator
From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Wed, 23 Mar 2016 15:17:40 +0100
Subject: Re: Change PS1 when run as administrator
Authentication-results: sourceware.org; auth=none
References: <F7CDFE45-BFA7-4599-B510-B40BCA19142F at etr-usa dot com> <28210846 dot 20160315202354 at yandex dot ru> <87mvpz1ong dot fsf at Rainer dot invalid> <0F37E0B7-A313-49F2-BAFD-59A7A144BD8C at etr-usa dot com> <loom dot 20160323T125711-592 at post dot gmane dot org>
Reply-to: cygwin at cygwin dot com
On Mar 23 12:35, Brian Inglis wrote:
> Warren Young <wyml <at> etr-usa.com> writes:
> > On Mar 15, 2016, at 2:17 PM, Achim Gratz <Stromeko <at> nexgo.de> wrote:
> >> Andrey Repin writes:
> >>> test $group -eq 114 && { x="#"; break; }
> >> Nope, that group membership isn't associated with real administrative
> >> powers.
> > Confirmed, at least on Win10 64-bit without any AD mucking things up.
> > That is, I get both 114 and 544 here, so I donât need the 114 rule at all.
>
> Opposite for me on Win7 x64 non-domain machine!
> I am always a member of 544(Administrators) group and it is my default
> primary group in normal non-admin and elevated admin shells.
>
> In elevated admin shell, I am also a member of 114(Local account and member
> of Administrators group) and 405504(High Mandatory Level) not 401408(Medium
> Mandatory Level).
>
> No idea how this works in domains and with domain accounts, but perhaps
> checking for 114 and/or 405504 would be more portable?
>
> $ uname -srvmo
> CYGWIN_NT-6.1 2.4.1(0.293/5/3) 2016-01-24 11:26 x86_64 Cygwin
>
> normal non-admin shell:
> $ id
> uid=... gid=544(Administrators)
> groups=544(Administrators),197121(None),197610(HomeUsers),545(Users),
> 4(INTERACTIVE),66049(CONSOLE
> LOGON),11(Authenticated Users),15(This Organization),113(Local
> account),4095(CurrentSession),66048(LOCAL),262154(NTLM
> Authentication),401408(Medium Mandatory Level)
You have either some /etc/passwd, /etc/group settings overshadowing the
default settings, or you used the "desc" method described in
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc
to change your primary group.
Otherwise your primary group is always "None", or the equivalent in your
locale. The admins group is *never* the primary group, unless you
messed with the settings for Cygwin as outlined above.
If you're member in the Admins group, then the admins group is part of
the non-elevated token, but only as "deny-only" group. That means, it's
usually not shown in id, unless you made it primary group, in which case
it has to be shown.
You better remove this. I think I'll fix this function to not allow
primary groups wehich are not enabled in the token.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
但这不会影响您在该 shell 中执行管理工作的能力。