This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: admin privileges when logging in by ssh?


> Does Windows 7 Home Premium come with a native whoami?

Yes, it does.  So here's what I've found.  I have two users, who get
different results.

(1) User admin is a member of the Administrators group.  He gets the 
expected results:  whether he logs in by password or pubkey authentication,
he can use his administrative privileges.

(2) User backup is a "standard user", not a member of the Administrators 
group.  This is by design, to create a minimally privileged backup user.  
He has been separately granted SeBackupPrivilege and SeRestorePrivilege via 
editrights.

When user backup logs in by ssh, he gets different results:

  * If he logs in by password authentication, then whoami /all shows 
the right user name and privileges, and he can use the privileges.  See 
Listing 1 below.  So this is fine.
  * If he logs in by pubkey authentication, he doesn't get the backup and
restore privileges.  See Listing 2 below.  This is confirmed by e.g.

backup@sulfur ~
$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied

So the difference AFAICT is the membership in the Administrators group.
Notice also in the two listings below, that by password authentication,
backup gets

Mandatory Label\High Mandatory Level

while by pubkey, he gets

Mandatory Label\Medium Mandatory Level

whatever those are.

The usual advice for creating backup users is to make them members of the
"Backup operators" group, so that they get all of the required privileges
for backup.  But this isn't possible in the "Home" editions of Windows 7:
there's no Backup operators group, and you're not allowed to create one.
So I had to fall back to a standard user with an additional grant of
SeBackupPrivilege and SeRestorePrivilege.  I also tried adding a few more
privileges:

SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege

but it didn't help.

Andrew



----------------------------------
LISTING 1: password authentication
----------------------------------

backup@sulfur ~
$ /win/c/Windows/System32/whoami /all

USER INFORMATION
----------------

User Name     SID                                          
============= =============================================
sulfur\backup S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                           Attributes                                        
==================================== ================ ============================================= ==================================================
Everyone                             Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers                     Alias            S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                  Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeBackupPrivilege             Back up files and directories        Enabled 
SeRestorePrivilege            Restore files and directories        Enabled 
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


--------------------------------
LISTING 2: pubkey authentication
--------------------------------

backup@sulfur ~
$ /win/c/Windows/System32/whoami /all

USER INFORMATION
----------------

User Name         SID                                          
================= =============================================
sulfur\cyg_server S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                           Attributes                                        
====================================== ================ ============================================= ==================================================
Everyone                               Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers                       Alias            S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeBackupPrivilege             Back up files and directories             Disabled
SeRestorePrivilege            Restore files and directories             Disabled
SeShutdownPrivilege           Shut down the system                      Enabled 
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Disabled
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled 
SeTimeZonePrivilege           Change the time zone                      Enabled 


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]