delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2011/10/14/11:19:30

X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 tests=AWL,BAYES_05,RP_MATCHES_RCVD,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Andrew Schulman <schulman DOT andrew AT epamail DOT epa DOT gov>
Subject: Re: admin privileges when logging in by ssh?
Date: Fri, 14 Oct 2011 11:18:44 -0400
Lines: 147
Message-ID: <kegg975khakim6gdffidaauof66b9ie828@4ax.com>
References: <rg0q679hpajl00ujv34jtmavsanhpb6n2t AT 4ax DOT com> <fb5s67hrbvq8lej86nqjhfp0et01fc6lsf AT 4ax DOT com> <20111004094440 DOT GB14728 AT calimero DOT vinschen DOT de> <0s9m87drlejguq5s9u6njre69spr5sd8o6 AT 4ax DOT com> <20111004175341 DOT GA14345 AT calimero DOT vinschen DOT de>
Mime-Version: 1.0
X-Archive: encrypt
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com 

> Does Windows 7 Home Premium come with a native whoami?

Yes, it does.  So here's what I've found.  I have two users, who get
different results.

(1) User admin is a member of the Administrators group.  He gets the 
expected results:  whether he logs in by password or pubkey authentication,
he can use his administrative privileges.

(2) User backup is a "standard user", not a member of the Administrators 
group.  This is by design, to create a minimally privileged backup user.  
He has been separately granted SeBackupPrivilege and SeRestorePrivilege via 
editrights.

When user backup logs in by ssh, he gets different results:

  * If he logs in by password authentication, then whoami /all shows 
the right user name and privileges, and he can use the privileges.  See 
Listing 1 below.  So this is fine.
  * If he logs in by pubkey authentication, he doesn't get the backup and
restore privileges.  See Listing 2 below.  This is confirmed by e.g.

backup AT sulfur ~
$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied

So the difference AFAICT is the membership in the Administrators group.
Notice also in the two listings below, that by password authentication,
backup gets

Mandatory Label\High Mandatory Level

while by pubkey, he gets

Mandatory Label\Medium Mandatory Level

whatever those are.

The usual advice for creating backup users is to make them members of the
"Backup operators" group, so that they get all of the required privileges
for backup.  But this isn't possible in the "Home" editions of Windows 7:
there's no Backup operators group, and you're not allowed to create one.
So I had to fall back to a standard user with an additional grant of
SeBackupPrivilege and SeRestorePrivilege.  I also tried adding a few more
privileges:

SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege

but it didn't help.

Andrew



----------------------------------
LISTING 1: password authentication
----------------------------------

backup AT sulfur ~
$ /win/c/Windows/System32/whoami /all

USER INFORMATION
----------------

User Name     SID                                          
============= =============================================
sulfur\backup S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                           Attributes                                        
==================================== ================ ============================================= ==================================================
Everyone                             Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers                     Alias            S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                  Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeBackupPrivilege             Back up files and directories        Enabled 
SeRestorePrivilege            Restore files and directories        Enabled 
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


--------------------------------
LISTING 2: pubkey authentication
--------------------------------

backup AT sulfur ~
$ /win/c/Windows/System32/whoami /all

USER INFORMATION
----------------

User Name         SID                                          
================= =============================================
sulfur\cyg_server S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                           Attributes                                        
====================================== ================ ============================================= ==================================================
Everyone                               Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers                       Alias            S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeBackupPrivilege             Back up files and directories             Disabled
SeRestorePrivilege            Restore files and directories             Disabled
SeShutdownPrivilege           Shut down the system                      Enabled 
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Disabled
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled 
SeTimeZonePrivilege           Change the time zone                      Enabled 


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019