Longhorn to use UNIX-like User Permissions

destuxor writes "After years of Windows users abusing administrative accounts out of necessity, Microsoft promises that Longhorn will make better use of user permissions in what sounds exactly like what UNIX/Linux users have been doing for years. Hopefully this will fix the long list of applcations that cannot be run by a Least-Privilege User Account (LUA) while giving a much-needed security boost. Too bad "MS-root" can't watch over your grandmother when she opens emails."

'User' attitudes

[Jumbo+Jimbo]

I think that it's a good start and may well make a big difference in companies which use Windows as their desktop platform and have system administrators who can control user accounts.

This section from the article seems to have a good point: A strictly enforced LUA model could make it harder for worms and viruses to take over Windows systems. But Microsoft may have a tough time changing user and developer behaviour, even with new features that support the LUA regime in Longhorn, experts warn.

On home systems, we still currently have enough problems trying to convince people not to open dubious attachments, or with people giving sites permission to install practically anything on their machines. It will take a big shift in attitudes (or Microsoft forcing the user to jump though hoops) to make many home users have anything but admin-privilege accounts.

Re:'User' attitudes

[Cosine+Jeremiah]

Macintosh users adjusted rather well to OS X's behavior, which basically mimic's a GUI sudo whenever root privs are needed. I think if application installers start popping up the password prompt, people will figure out what to type in there.

On the other hand, perhaps people will end up getting too used to typing in the password whenever it's presented.

"Installer? Check! Installer? Check! Virus? Check!"

Of course...

The permissions will permanently be set to 777.

The problem has never been a lack of permissions in NTFS, just that no one uses them well.

Re:-rw-r--r--

[Narchie+Troll]

Note that the discussion isn't about using literal Unix-style permissions -- the title is rather misleading. NTFS permissions are very good; in some ways, they are superior to classic Unix permissions (but not necessarily to Posix ACLs).

Instead, the Windows security model is (apparently) going to be more Unix-like, in that the demarcation between administrator (root) and normal user will be more strict. Mostly, this means making software developers allow their programs to be installed and run with limited permissions, unlike the current admin-fest.

There are many ways that Microsoft could fuck this up, but I hope they don't. Unlike some people, I have no investment in constantly repairing ruined systems.

What worries me about manifests

[tepples]

But here's something that worries me more about manifests:

Microsoft also proposes application manifests, which allow developers to define the permissions an application needs to operate properly and can be signed by independent software vendors to ensure integrity. Deployment manifests, signed by IT departments, will allow network administrators to dictate how much trust an application should have on the network, according to the documents.

Based only on this part, it appears that an application manifest must be published by an entity that can afford three figures USD per year for a code signing license. Developers of free software and proprietary freeware often cannot afford this annual fee. My worry is that Longhorn Home Edition may not permit users to install customized deployment manifests, locking users into using only programs with an application manifest, that is, proprietary commercial software.

Not Permissions, Just Common Sense Default ACLs

[foo+fighter]

This isn't Windows switching from their ACL model to a UNIX permission model.

One, they are pushing for 3rd-party developers to finally stop requiring simple apps like kid's software and low-end desktop publishing to be run with escalated privileges.

I mean, these application developers have had since '98 or '99 to work this out. But Window's lax defaults and lack of user education didn't force the issue. Microsoft is finally, /finally/, forcing the issue.

Two, it is Microsoft finally realigning their default ACLs to be at once more secure and more common sense.

It makes no sense for a home user to not be able to control their power settings or change their system time unless they have escalated privileges.

Really, this isn't so much Windows following UNIX as it is Windows following OS X.

Finally, and this is IMHO, going to a permission model would be a *huge* step backwards. I know UNIX die-hards will flame me for this, but it is my experience that ACLs are much more flexible and lucid than permissions.

Windows biggest problem

[erroneus]

I'd love to blame Microsoft for their own operating system problems, but really, the blame is mostly on the third party developers.

It has been this way from the beginning... as far back as I can see, developers skirted the BIOS because BIOS calls were too slow -- that was back when the BIOS was part of the OS. This is not a Microsoft problem, but it adds to understanding of how the culture evolved. "Forget about standards and interoperability, we need to deliver performance!" The error in judgement has been costly.

Today developers continue to write code that uses and exploits bugs and irregularities in the MS Windows operating system environment. If I learned nothing else from reading the comments found in the Windows Source code scandals, I learned that Microsoft became obliged to add code to emulate bugs and irregularities for specific applications to continue to run properly. In a perfect world, the app writers would write code using the APIs as documented. (And when bugs and irregularities were found, Microsoft would FIX them to discourage developers from utilizing the strange or buggy behaviors)

Developers should be mature enough to realize that any bug or irregularity found in an OS API should be considered subject to change and could break their software once it is fixed. It kinda bugs me that these "paid professionals" were and continue to be so short-sighted.... (meanwhile, these Open Source Amateurs rely almost exclusively on documented API functions and features simply because bugs and irregularities are often fixed quickly enough that to write code against them would mean they would need to update their code AGAIN.)

I think this kind of speaks volumes about where the real weakness in commericial software development lies -- in the motivation.

Re:Swing and a miss...

[Elwood+P+Dowd]

Installing software is an administrative task, not a user task. Software installation *should* require admin access.

Just one more example of MS not understanding the difference between administration and use.

No, no, no. You couldn't be more full of shit if you tried. In Linux, you can

./configure --prefix=$HOME

In OS X, you can

./configure --prefix=$HOME/Library

or leave your .apps in ~/Applications/. The whole point is to make it so that users can install applications without it installing spyware all over your system directories. Software installation shouldn't require admin privs. You should be able to do just about anything to your computer without effecting other users.

Re:Logo Program

[univacmac]

I never gave a damn if my drivers were signed or not - i wanted the device to work, and if that was the only driver i could use, screw windows. :D

Re:Logo Program

[zippthorne]

The drivers that came with my motherboard are not signed, the driver for my monitor is not signed (it's quite old), I forget about the graphics card.. printer drivers not signed - what am i supposed to do? use my computer with the "default" monitor at much lower resolution and refresh rate than my monitor is capable of, and never print anything?