Slashdot Mirror

← Back to Stories (view on slashdot.org)

Longhorn to use UNIX-like User Permissions

Posted by Zonk on from the making-their-own-osx dept.

destuxor writes "After years of Windows users abusing administrative accounts out of necessity, Microsoft promises that Longhorn will make better use of user permissions in what sounds exactly like what UNIX/Linux users have been doing for years. Hopefully this will fix the long list of applcations that cannot be run by a Least-Privilege User Account (LUA) while giving a much-needed security boost. Too bad "MS-root" can't watch over your grandmother when she opens emails."

9 of 697 comments (clear)

  1. Re:Logo Program by maxwell+demon · · Score: 4, Informative
    How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.

    I guess you meant it's a very low percentage ...
    --
    The Tao of math: The numbers you can count are not the real numbers.
  2. LUA? by JabberWokky · · Score: 4, Informative
    I realize it's hard to come up with simple names, but it's going to be annoying trying to Google for stuff about Lua soon.

    --
    Evan (Really nifty language)

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  3. XP does that. User permissions are not the problem by Anonymous Coward · · Score: 5, Informative

    The permission mechanisms in Windows NT/2k/XP are pretty flexible. Unix is only just migrating from the old user/group/world permission set to access control lists, something that is readily available for just about everything in the Windows operating system, from files to individual registry entries.

    The problem with Windows permission management is that a) it is completely hidden from the casual user, b) there are no guidelines how applications can be made to work with restricted privileges and programmers are too lazy to figure it out themselves and c) the default XP install makes everybody an admin, so there is very little incentive for application programmers to get it right.

  4. Re:Finally... by zenray · · Score: 4, Informative

    We've had the same issues at work but we've found that if you examin the bad applications closely they mostly want write access for the user in the 'programs files' area or the windows or winnt area. Giving users of these programs the proper write access solves most of the problems. We found one program that required a registery edit to work properly with just 'user' privilages. It is a major PITA to find out all these details to tighten security but we are doing it.

    --
    zenray
  5. Re:Finally... by Malc · · Score: 4, Informative

    Can I recommend Aaron Margosis' blog? It provides a lot of tips for running as non-admin. His PrivBar is very helpful. He also talks about scripts that launch other apps with elevated permissions without having to log off - they change the user's permissions (give them admin rights), logon as that user, launch the app, and finally reset the permissions, all within the current user's session.

    There's a lot that can be done to enable software to play nicely under a limited user account. Sometime's it's not worth the effort, but in some cases changing permissions on select registry keys and NTFS folders can get things working.

  6. Re:Logo Program by nine-times · · Score: 4, Informative
    WHQL. Yes. I believe it was when Windows XP first came out (or maybe it was still when win2k was new?), Microsoft had a version of the driver in the OS and on the Windows update site with a lot of OpenGL features stripped. It worked, but was a little broken and very slow, but Direct3D worked fine. The same version of WHQL signed drivers from Nvidia's site didn't have OpenGL problems, but Windows would still claim the drivers were unsigned, and Windows Update would always ask you to "upgrade" to Microsoft's version, even if the Nvidia drivers already installed were newer.

    So basically, there were conspiracy theories that it was done on purpose, but nothing definitive. Seriously, am I the only one who remembers this? I wasn't even sure it this behavior ever really changed, but it was enough to convince me to always get drivers from the manufacturer (not MS) and ignore the driver signing warnings Windows threw up.

  7. Re:Come on over to Linux! by Narchie+Troll · · Score: 5, Informative

    'Being root' and running a SUID CD burning application is rather different. In fact, it's entirely different, since you're granted no special rights as a user.

    You do not have to be root to mount anything. That's what /etc/fstab is for, specifically the user flag. That is indeed a bogus claim.

    Most programs can be installed as a regular user under $HOME. I've done it many times on systems where I have no root access. This includes everything from Lua to GTK+. In fact, very few Linux programs require root access to install and use properly.

    Either you haven't used Linux, or you haven't bothered to learn how to use it properly.

  8. Mount points have been supported since 2000 by melted · · Score: 5, Informative

    Mount points have been supported since 2000 in Windows. And hardlinks. ACLs and multiple streams per file were supported almost from the very beginning.

    Before bashing something you should at least RTFM, otherwise you just look like a typical teenage Linux zealot.

  9. Re:Logo Program by T5 · · Score: 4, Informative

    Let's go over this week's list of problems:

    1) HP scanner software - as administrator, works fine. As user, press a button on the scanner and the software can't find the scanner (!).

    2) Norton Systemworks - as administrator, updates just fine. As user, can't run updates.

    3) Turbotax. Same as Systemworks.

    And that's just this week!