X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 tests=AWL,BAYES_05,RP_MATCHES_RCVD,SPF_HELO_PASS X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: Andrew Schulman Subject: Re: admin privileges when logging in by ssh? Date: Fri, 14 Oct 2011 11:18:44 -0400 Lines: 147 Message-ID: References: <20111004094440 DOT GB14728 AT calimero DOT vinschen DOT de> <0s9m87drlejguq5s9u6njre69spr5sd8o6 AT 4ax DOT com> <20111004175341 DOT GA14345 AT calimero DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archive: encrypt X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com > Does Windows 7 Home Premium come with a native whoami? Yes, it does. So here's what I've found. I have two users, who get different results. (1) User admin is a member of the Administrators group. He gets the expected results: whether he logs in by password or pubkey authentication, he can use his administrative privileges. (2) User backup is a "standard user", not a member of the Administrators group. This is by design, to create a minimally privileged backup user. He has been separately granted SeBackupPrivilege and SeRestorePrivilege via editrights. When user backup logs in by ssh, he gets different results: * If he logs in by password authentication, then whoami /all shows the right user name and privileges, and he can use the privileges. See Listing 1 below. So this is fine. * If he logs in by pubkey authentication, he doesn't get the backup and restore privileges. See Listing 2 below. This is confirmed by e.g. backup AT sulfur ~ $ cat /etc/ssh_host_dsa_key cat: /etc/ssh_host_dsa_key: Permission denied So the difference AFAICT is the membership in the Administrators group. Notice also in the two listings below, that by password authentication, backup gets Mandatory Label\High Mandatory Level while by pubkey, he gets Mandatory Label\Medium Mandatory Level whatever those are. The usual advice for creating backup users is to make them members of the "Backup operators" group, so that they get all of the required privileges for backup. But this isn't possible in the "Home" editions of Windows 7: there's no Backup operators group, and you're not allowed to create one. So I had to fall back to a standard user with an additional grant of SeBackupPrivilege and SeRestorePrivilege. I also tried adding a few more privileges: SeTakeOwnershipPrivilege SeChangeNotifyPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege but it didn't help. Andrew ---------------------------------- LISTING 1: password authentication ---------------------------------- backup AT sulfur ~ $ /win/c/Windows/System32/whoami /all USER INFORMATION ---------------- User Name SID ============= ============================================= sulfur\backup S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============================================= ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group SULFUR\HomeUsers Alias S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled -------------------------------- LISTING 2: pubkey authentication -------------------------------- backup AT sulfur ~ $ /win/c/Windows/System32/whoami /all USER INFORMATION ---------------- User Name SID ================= ============================================= sulfur\cyg_server S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============================================= ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group SULFUR\HomeUsers Alias S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Enabled SeImpersonatePrivilege Impersonate a client after authentication Disabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple