> Does Windows 7 Home Premium come with a native whoami?
Yes, it does. So here's what I've found. I have two users, who get
different results.
(1) User admin is a member of the Administrators group. He gets the
expected results: whether he logs in by password or pubkey authentication,
he can use his administrative privileges.
(2) User backup is a "standard user", not a member of the Administrators
group. This is by design, to create a minimally privileged backup user.
He has been separately granted SeBackupPrivilege and SeRestorePrivilege via
editrights.
When user backup logs in by ssh, he gets different results:
* If he logs in by password authentication, then whoami /all shows
the right user name and privileges, and he can use the privileges. See
Listing 1 below. So this is fine.
* If he logs in by pubkey authentication, he doesn't get the backup and
restore privileges. See Listing 2 below. This is confirmed by e.g.
backup@sulfur ~
$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied
So the difference AFAICT is the membership in the Administrators group.
Notice also in the two listings below, that by password authentication,
backup gets
Mandatory Label\High Mandatory Level
while by pubkey, he gets
Mandatory Label\Medium Mandatory Level
whatever those are.
The usual advice for creating backup users is to make them members of the
"Backup operators" group, so that they get all of the required privileges
for backup. But this isn't possible in the "Home" editions of Windows 7:
there's no Backup operators group, and you're not allowed to create one.
So I had to fall back to a standard user with an additional grant of
SeBackupPrivilege and SeRestorePrivilege. I also tried adding a few more
privileges:
SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
but it didn't help.
Andrew
----------------------------------
LISTING 1: password authentication
----------------------------------
backup@sulfur ~
$ /win/c/Windows/System32/whoami /all
USER INFORMATION
----------------
User Name SID
============= =============================================
sulfur\backup S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
==================================== ================
=============================================
==================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers Alias
S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by
default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
--------------------------------
LISTING 2: pubkey authentication
--------------------------------
backup@sulfur ~
$ /win/c/Windows/System32/whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
sulfur\cyg_server S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
====================================== ================
=============================================
==================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers Alias
S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by
default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeImpersonatePrivilege Impersonate a client after authentication Disabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
