Slashdot Mirror
Longhorn to use UNIX-like User Permissions
destuxor writes "After years of Windows users abusing administrative accounts out of necessity, Microsoft promises that Longhorn will make better use of user permissions in what sounds exactly like what UNIX/Linux users have been doing for years. Hopefully this will fix the long list of applcations that cannot be run by a Least-Privilege User Account (LUA) while giving a much-needed security boost. Too bad "MS-root" can't watch over your grandmother when she opens emails."
Whilst this is a step in the right direction, Id be willing to bet that Microsoft will put a hefty fee on the LUA Pricniples program, putting it out of the reach of a lot of smaller software houses.
If this is the case, then users will once again become used to just allowing any old piece of software to install with higher privileges, totally defeating the purpose of this.
How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.
You can lead a horse to water, but you cant make it drink.
It's about damned time this issue gets addressed. Every day at work I have to fight with this M$ limitation. Chief among the offenders are:
- Kodak Share software
- Autocad
- Any serial port emulation program
- PowerDVD
Most users must be elevated to Power User status on their machines to allow them to do anything nowadays, while there are plenty of programs (like the ones listed above) that will malfunction or simply refuse to work with anything less than full Admin rights. Sometimes, I have no choice but to give a user full Admin rights...I grind my teeth as I do so, knowing full well I'll be called to disinfect the machine of countless spyware programs within weeks, if not days.
____
~ |rip/\/\aster /\/\onkey
Microsoft also proposes application manifests, which allow developers to define the permissions an application needs to operate properly
I recall a few years ago when all applications even MS Office came with this type of documentation so that Netware administrators could install the software and configure the "rights" properly.
I had recently encountered a few Windows applications where permissions were a problem and I was reminiscing about just that. Serendipity?
This might not change much, windows users are generally lazy. I see most people will just log in as an administrator and stay that way forever. The article didn't mention how easy it would be to switch to an administrator either like unix's su. No matter what microsoft does security will always be a huge problem, users don't want to change they like it easy.
Thank God. I can't count the number of times I've had to deal with the stupid permission settings in Windows. Even for a simple thing like sharing files and folders over a home network. Their system is so convoluted and just completely stupid - pointing and clicking through various menus to set attributes... conflicting attribues... and all kinds of other crap. I was trying to set up access permissions on a home networked machine whereby it would authenticate against another machine on the same network. But you can't do that with "Workgroups". Only "Domains". All I have is a small home network of 3 machines - I have to set up a Domain Controller now? Why the distinction? All the "features" that microsoft has for their permissions system are simply inane and counterintuitive. To keep myself from pulling out all my hair, I just set the permissions to Everyone so that everyone and their mom on the home network can access the folder. But since it's just me at home, that's alright. And even then I've had trouble with that.
I'm glad they've decided to scrap it and move to a more unix-like. The next thing they should do is change their "automated task scheduler" tool. Make it more like cron. "at" just sucks.
Vivin Suresh Paliath
http://vivin.net
I like
I'd return the game to the manufacturer and tell them that was not one of the requirements on the outside of the box and you do not have access to play the game under an admin account. There's no reason a game should have free reign of a system.
Incidentally none of my games on OS X require superuser or even an admin account. Although they require it for installation if you install anywhere else but ~/
Not since Marie-Antoinette played milkmaid has looking simple and honest been so fake and complicated.
For those who have never really thought about this issue (drive letters vs mount points), here are a few of my thoughts on the issue. I'd welcome people to comment on why they think drive letters might be a good idea. Does anyone know why drive letters were originated? An inability of early DOS-like systems to do mount points that never died?
..Docs & Settings\myuser, the network would gain more transparency. If you change jobs, you don't have to learn a new drive letter scheme (no big deal for us, but think of the users...won't someone think of the users?).
Although *nix has had the problem of strange names (a legacy thing) and changing naming conventions (/srv, etc) the idea that for the most part, you always go to the same location for the same thing is great. With drive letters, sometimes a cdrom is D sometimes E, somethings xyz...when you get into network drives, things are at the whim of the guy that setup the scheme in the first place. Is my user drive F or G (my workplace currently maps both).
If instead the user drive was always mapped to
Anything that can be done to make things seem more transparent to a user without obfuscating other aspects of the system is good imo.
-Ben
I'm assuming 2000 or XP here, but try shift right clicking and using run-as. It will prompt for an account. Enter the administrator password. That may help. Run-as is a crappy comparison to sudo, su.
Google for runas.
Microsoft is excellent at deflecting criticism by promising fixes, then delivering what are only modest improvements.
When Microsoft software has an obvious problem that competitive software does not, the general pattern is that a) Microsoft claims the next release will fix it; b) the next release falls far short of a fix but is nevertheless a noticeable improvement; c) applause from Microsoft fanboys drowns out those would observe they still haven't achieved parity with the non-Microsoft state-of-the-art.
Since Microsoft users live in a sealed universe--they're too busy keeping up with security patches, changes in API's, and evolving purchase and licensing plans to have the time to ever use any non-Microsoft software--Microsoft gets away with this pattern of "big promise, partial delivery"
Complaints about Windows 3.0 instability were met by the assertion that you "would never see a UAE in Windows 3.1."
Complaints about FAT fragmentation were met by assertions that NTFS would not require defragmentation.
Comments that Windows 3.X was far less usable than the Mac OS were met by assertions that Windows 95 would be just as good as the Mac.
Complaints that installing software under NT 3.x were met by assertions that NT 4.0 would not require rebooting....
"How to Do Nothing," kids activities, back in print!
Unix permissions _do suck, they're too simplistic and ACLs solve a lot of the problems inherent to it.
The UNIX® permissions model has had access control lists pretty much forever. Every user can belong to one or more lists of users called "groups", and each file designates a set of permissions ("Access Control") for a group ("List"). Some file systems allow for more sophisticated ACL behavior by specifying more than (access control, group) tuple.
But ACLs are broken anyway; the next wave of permissions architecture is capabilities, as seen in EROS and other research operating systems.
Actually you made me think of an interesting point, if M$ wants the vendor to produce an summary of the permissions necessary for a program to run, would it be possible to have the program reduce it's own permissions to have the minimum necessary. For instance if you open IE as an administrator IE could immediately reduce its permissions to the absolute lowest level possible, this WOULD help quite a bit.
This was why I had to drop Winamp. My choices were to either run Winamp as Administrator or not have access to the media library function.
Blah. It's a good thing iTunes rocks.
Yes, but how many games run SetUID root in OSX? (don't have a clue, just wondering)
Games like Abuse do this in Linux and it's always getting new exploits. How many game developers are dedicated to tightening down the security of their code?
Adding a meaningful permissions scheme will either kill many of my kids games, force a repurchase, or give me loads of headaches. When we got an XP box, I thought "Great, no crap installed by teenagers." Then I found that none of their games would play without write ability to the game directory in 'Program Files'. So guess what? They are administrators, too. We're not talking small stuff or fly-by-night companies. My kids have worked very hard to keep EA Games in business. I'm glad they will be out of my house when Longhorn comes around. Let the university's tech support sort it out with them.
There were similar problems with Eudora which my wife uses for email. So, she's an admistrator, too. And Eudora had its own headache under XP--she and I could not share mailboxes as we had done under Win98, even if the mailboxes were in a shared directory.
Good thing I have my own Linux box. When the kids and their games leave, I'm getting the Mrs. a Mac and shinning on we're-all-administrators-here Windows for good.
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
Installing software is an administrative task, not a user task. Software installation *should* require admin access. Just one more example of MS not understanding the difference between administration and use.
Who is going to be the admin for home users?
IMO, this isn't a Microsoft problem, but lazy or ignorant 3rd party developers.
I wholeheartedly agree. Microsoft Windows 2000/03 does have a detailed security model. You can grant or deny privileges to just about any file or registry key.
Microsoft has provided information on the security model. MSDN provides best practices for coding including where to place user settings and why. Technet provides details on what to secure and why. So, why do software houses put out products that require elevated privileges? Why do administrators setup people to run their computers as administrators?
Laziness! If you are a programmer, I kindly ask you to review the MSDN documentation and write secure code. If you are a network administrator, I suggest you learn the OS and secure the computers.
Network admins can use tools like Sysinternals Filemon and Regmon to see what these crackpot applications are trying to write to. Then, grant the user privileges to these areas. Admins who take the easy way out by granting administrative privileges are just plain lazy.
My two cents,
J Wolfgang Goerlich
I know I'm going to get flamed horribly for this, But I consider this a downgrade. The Windows permission system (which is essentially the VMS permission system) is far better than the one for Unix offering much better controls especially for large scale servers where administrative responsibilities are divided between teams. I think the real problem with Windows is that it didn't go far enough in implementing the VMS permissions model. On VMS its common for highly privileged users to run in an unprivileged state with few privileges except the power to grant themselves most privileges and then do the following:
a) Run in an unprivileged state until they get a privilege error
b) Determine if they really want to do the thing that caused the error
c) If yes temporarily grant themselves permission to do this thing. This is sort of like sudo but only grants one particular type of privilege not everything at once
d) Try again. If they get another permissions error on another permission repeat steps b and c.
e) Once successful (or they decide not to complete the action) then lower their permissions back down to their normal level.
The closest analogy for people haven't used VMS or a mainframe would be OSX when it asks you specifically before you do an administrative task.
This is way safer than Unix's system of permissions. The problem is that applications just fail for lack of privilege and the interface doesn't make it easy to bump all over the place. Frankly I think adopting the Unix model with less fine grained privileges is a major downgrade to NT. The problem is with the applications (including those written by Microsoft) not the OS.
On another forum I noted the howls of indignation and protest when Mac users who were used to the old System software took the leap to OS X with Unix permissions and accesses.
A number of us did our best to try to dissuade users from operating in "root" or god mode because it is dangerous. I recall being flamed for having tried to tell one poor soul about how he had regularly and routinely messed up his system by doing that and that if he decided to simply create a user who could administrate the computer, he'd be fine.
"I realize you want the operating system to 'be good' and work that way, but it doesn't. Sorry about that."
And now Microsoft is going to adopt Unix permissions. How wonderful. Apple has a pretty smaller user-installed base. I believe it's growing due to their hardware, like the iPod and their new Mac Mini but it took some patience from Apple gurus as well as Apple to help people over that "permissions things" hump.
Compared to that little dustup, Microsoft's adoption of Unix permissions should be a lot like dropping a 20 gigaton thermonuclear device on the computing world. Apple released a "Repair Permissions" script which should be run regularly after updates to verify and change back any mangled permissions. I'd imagine Microsoft will do the same -- in about three years
Gods don't kill people, people with gods kill people.
Actually they did standardize this policy. It has been a part of the Windows Logo since NT was released. The requirements to meet Windows Logo standards is a large document that describes how applications and drivers should behave, from user interface to appropriate permissions levels. In order to achieve Logo, an application must be able to function under the Users group, which is at least as strict as a user on a UNIX box. This means that the process can only write to the user's own profile directory and the CURRENT_USER section of the registry.
/", just by telnetting to the port and typing "RUN0command\m".
Microsoft has been shouting this shit out for over a decade. People just don't fucking listen. Most developers are simply lazy morons that perform the absolute minimum level of work. This isn't a Windows problem; it's a human problem. I've worked with solutions on Windows, AIX, HPUX, SCO and RedHat Linux servers. The vast majority of these solutions are designed pitifully.
Even the one on Linux, an autodialer platform, required users to log in as root with +wx to the directories containing the very programs themselves, and the company exposed a TCP daemon that would allow outside forces to run ANYTHING under the context of root, including "rm -r
On the AIX box we ran an accounting package where everyone had to log on using a single sign-on with a 4 character maximum password. Again, the user had full +rw priv to the major data and program directories. Any time a program crashed, or anytime a user hit Ctrl-C, any program would be broken out to a debugger where the user could then modify the execution context, or worse, quit out to a commandline where they could issue commands directly against the database, including deleting complete tables. The solution could not function without the user having this permission.
And in both of the previous examples the solutions had to rebooted every single night per the support contract with the vendor. This was in order to clean up the memory that the shittily written apps and services spewed all over the place.
And we're not talking cheap stuff, here. In both of these cases the software solution costs approximately $1,250-$2,500 per *user*. If it weren't for the fact that these solutions represent the aggregate of decades worth of experience and development I would write my own in a heartbeat, but it's hard to convince your boss to hand over that amount of time and resources when they can "live with" what they got.
Abso-fucking-lutely ridiculous.