This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Change PS1 when run as administrator


On Mar 23 18:01, Brian Inglis wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > On Mar 23 12:35, Brian Inglis wrote:
> >> Warren Young <wyml <at> etr-usa.com> writes:
> >>> Confirmed, at least on Win10 64-bit without any AD mucking things up.
> >>> That is, I get both 114 and 544 here, so I donât need the 114 rule at all.
> >> Opposite for me on Win7 x64 non-domain machine! 
> >> I am always a member of 544(Administrators) group and it is my default
> >> primary group in normal non-admin and elevated admin shells. 
> >> In elevated admin shell, I am also a member of 114(Local account and 
> >> member of Administrators group) and 405504(High Mandatory Level) not 
> >> 401408(Medium Mandatory Level). 
> 
> > You have either some /etc/passwd, /etc/group settings overshadowing the
> > default settings, or you used the "desc" method described in
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc
> > to change your primary group.
> > Otherwise your primary group is always "None", or the equivalent in your
> > locale.  The admins group is *never* the primary group, unless you
> > messed with the settings for Cygwin as outlined above.
> > If you're member in the Admins group, then the admins group is part of
> > the non-elevated token, but only as "deny-only" group.  That means, it's
> > usually not shown in id, unless you made it primary group, in which case
> > it has to be shown.
> > You better remove this.  I think I'll fix this function to not allow
> > primary groups which are not enabled in the token.

The latest test release 2.5.0-0.9 now checks if the desired primary
group is enabled in the token.  If it's not enabled, as in the case
of the admins group for non-elevated admin accounts, it refuses to
change the primary group and keeps the default primary group intact.

> net user /comment - thanks, that worked.
> Removed comment (in elevated shell) and default became None.
> Readded comment with Users and that became the default.
> Will leave that there, as seeing None=="local non-domain accounts" bugs me,
> and it seems stupid to default anything to local non-domain accounts only.

> Is there a better consistent choice of dynamic group having elevated rights
> on both local and domain systems than 544 e.g. 114 or 405504 or ?

I don't understand the question.  What counts is group 544,
administrators.  But there's no good reason to make this group your
primary group.  Membership is sufficient.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: signature.asc
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]