0

I need to give a non-admin account most admin permissions except for modifying system files. I'd like that admin account to retain all normal admin permissions but not be able to modify the hosts file. I've written a guide on how to do this in Ubuntu, and I'd like to do something similar in Windows 10.

The best solution I've found is to make something like this script start when the user logs in. Source

#Specify the file name
$fileName = "C:\Windows\System32\Drivers\etc\hosts"

#Open the file in read only mode, without sharing (I.e., locked as requested)
$file = [System.io.File]::Open($fileName, 'Open', 'Read', 'Read')

I understand that it won't be bullet proof, but I would like something that makes it sufficiently inconvenient to modify this file.

DanielArnett
  • 101
  • 2
  • As an Administrator on Windows, you can give yourself permissions to any file on the system, it is just a matter of hoops you must jump through. – Ramhound Feb 14 '19 at 16:23
  • As I linked above it's not always as simple as changing read/write access. Another way to put this puzzle: How do you give a non-admin account permissions to do any admin task _except_ modifying system files. – DanielArnett Feb 14 '19 at 16:33
  • I could not access your link, so I have no idea what it says, but that information only applies to Linux. As an Administrator on Windows, one can take ownership of any file on the system, just a matter of what hoops you must jump through (or if it will break the system). – Ramhound Feb 14 '19 at 16:39
  • This is still a duplicate. The top answer on the linked question is your answer: You cannot do this within the confines you have defined. By very definition, Admin access is the ability to modify the permissions and properties of files on a system and can grant themselves the access you wish to remove from them. If you wish to prevent accounts from accessing a file, you cannot give them Admin. – music2myear Feb 14 '19 at 17:25
  • That's a poor definition of administrative access. In other OSs there are levels of access and ways to lock files from modification even from the administrator unless the files are unlocked. Please reread the last sentence of my original post. – DanielArnett Feb 14 '19 at 17:52
  • @DanielArnett - I have read the sentence several times. By default, you have to escalate the permissions of any process, that will modify the file anyways to that have an Administrator. However, any user in the local Administrator user group, can do exactly that with little to no effort. – Ramhound Feb 14 '19 at 18:20
  • 1
    (1) You ask for “most admin permissions except …”.  To [paraphrase Han Solo](http://quotegeek.com/quotes-from-movies/star-wars/2128), ‘most admin permissions’ is quite a bit.  If you identified specific permissions that you want this non-admin account to have, you might get an answer more to your liking.  P.S. “Most admin permissions” include the power to terminate any process, so your lock file approach is probably doomed to fail.   (2) Your Ubuntu solution appears to be about as bullet-proof as aluminum foil. – Scott - Слава Україні Feb 14 '19 at 18:20
  • @Scott I'd be happy to hear feedback on that Ubuntu solution too. Again the goal is not for it to be secure but to be inconvenient to undo. – DanielArnett Feb 14 '19 at 18:26
  • OK, I haven’t tested any of this, but (1) I suspect that your solution would leave the user able to do `sudo visudo` and restore the permissions. Also, `sudo sh` and `sudo su` may give the user an unrestricted root shell. Also, they can create a new user that would not be subject to the (per-user) restriction. But, most importantly, with your “everything except …” approach, the user can write a script that calls `chattr`, and then run that script with `sudo`. … (Cont’d) – Scott - Слава Україні Feb 14 '19 at 19:04
  • (Cont’d) …  (2) I don’t know how well this would work, but the user could get the IP address of a social media host with `nslookup`, and then go directly to the site using that address. (3) The user could download and install VirtualBox/VMware and create a virtual machine where they would could become root and have unlimited power. (Admittedly, this is covered by your “sufficiently inconvenient” caveat.) (4) As mentioned by [Frank Thomas](https://superuser.com/users/171793/frank-thomas) in [a comment on the other question](https://superuser.com/q/555404/150988#comment675672_555423), … (Cont’d) – Scott - Слава Україні Feb 14 '19 at 19:04
  • (Cont’d) …  somebody with physical access to the computer can boot into a live CD and bypass all restrictions on the installed operating system.  (5) OK, this is not a security weakness, but a real-world pragmatic concern.  Can you rely on your friend to keep a half password safely / securely in a place where they’ll be able to find it when you ask for it (possibly years later)?  Worst case scenario: what if your friend dies suddenly? – Scott - Слава Україні Feb 14 '19 at 19:04

1 Answers1

0

An admin can access any file on the system. The system hosts file you are referring to handles local name resolution for the machine so it needs to be able to be readable by all users of the system. You could probably remove admin access to "write" to the file but another admin could easily give themselves "write" access back.

Marcus Patman
  • 36
  • 1
  • 3
  • Even more than that: By definition Admin rights include the ability to MODIFY the permissions and properties of any object on the system. If you cannot do this, you do not have Admin.This ability to modify permissions and properties means that they can grant themselves the access you wish to exclude them from. – music2myear Feb 14 '19 at 17:23
  • @music2myear: How is what you said “even more than” what Marcus Patman already said? – Scott - Слава Україні Feb 14 '19 at 17:44
  • Because the access to an item is not the same thing as the ability to change the access to an item. One admin could adjust the permissions of a given object and ostensibly prevent another admin from viewing it. This would appear to give the lie to Marcus' answer. I was adding to it that even this is a technicality which the admin rights of the other account would be able to easily overcome. I was expanding the information to clarify that it covers even seeming exceptions. – music2myear Feb 14 '19 at 17:52
  • @music2myear Marcus’s answer already says «another admin could easily give themselves "write" access back.» If you are saying something more than that, I don’t understand it. – Scott - Слава Україні Feb 14 '19 at 19:01