Slashdot Mirror

← Back to Stories (view on slashdot.org)

Longhorn to use UNIX-like User Permissions

Posted by Zonk on from the making-their-own-osx dept.

destuxor writes "After years of Windows users abusing administrative accounts out of necessity, Microsoft promises that Longhorn will make better use of user permissions in what sounds exactly like what UNIX/Linux users have been doing for years. Hopefully this will fix the long list of applcations that cannot be run by a Least-Privilege User Account (LUA) while giving a much-needed security boost. Too bad "MS-root" can't watch over your grandmother when she opens emails."

12 of 697 comments (clear)

  1. Logo Program by ShepyNCL · · Score: 3, Interesting

    Whilst this is a step in the right direction, Id be willing to bet that Microsoft will put a hefty fee on the LUA Pricniples program, putting it out of the reach of a lot of smaller software houses.

    If this is the case, then users will once again become used to just allowing any old piece of software to install with higher privileges, totally defeating the purpose of this.

    How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.

    You can lead a horse to water, but you cant make it drink.

    1. Re:Logo Program by gl4ss · · Score: 3, Interesting

      *How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.*

      I prefer to continue installation and have a functional system with the latest drivers than to run a ms certified box(driver certs never guaranteed them to not bsod either).

      --
      world was created 5 seconds before this post as it is.
    2. Re:Logo Program by nine-times · · Score: 4, Interesting
      How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.

      The percentage might be higher if the signed-driver thing didn't seem to be used for Microsoft's anti-competitive purposes. Or does no one else remember the fiasco where Windows would complain when you tried to install certified drivers from Nvidia, and instead direct you to install a Microsoft-altered version of the driver with crippled OpenGL?

  2. Finally... by TripMaster+Monkey · · Score: 5, Interesting
    From the article:


    Application developers who log on to their development machines as administrators when they write code create programs that assume that level of privilege but have trouble when run by a user with reduced permissions, according to Brown's work, which estimated that 90 percent of Windows software can't be installed without administrator access to Windows, and that 70 percent won't run properly unless the user is an administrator.


    It's about damned time this issue gets addressed. Every day at work I have to fight with this M$ limitation. Chief among the offenders are:

    - Kodak Share software
    - Autocad
    - Any serial port emulation program
    - PowerDVD

    Most users must be elevated to Power User status on their machines to allow them to do anything nowadays, while there are plenty of programs (like the ones listed above) that will malfunction or simply refuse to work with anything less than full Admin rights. Sometimes, I have no choice but to give a user full Admin rights...I grind my teeth as I do so, knowing full well I'll be called to disinfect the machine of countless spyware programs within weeks, if not days.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Finally... by Anonymous+Luddite · · Score: 5, Interesting

      >> Sometimes, I have no choice but to give a user full Admin rights...I grind my teeth as I do so, knowing full well I'll be called to disinfect the machine of countless spyware programs within weeks, if not days.

      That's where I live buddy.

      We have a room full of people of varying ability who all have unlimited access because [censored p.o.s. software package] doesn't run otherwise. These guys surf a lot, clicking "yes" on every friggen dialogue box they see... literally can't go a full week without some exploit being loaded.

      zero user buy-in for security - When someone shows up to remove the exploit-of-the-week for them, they get is static about "touching my machine". It pains me to be in the same room sometimes...

      --
      http://request-header.info
    2. Re:Finally... by Rycross · · Score: 5, Interesting

      We run all of our users as users at work. Some of the programs which don't work can be made to work by fiddling with file permissions and the security policies. For programs that just won't work without admin priveledges, we provide an admin account which has been modified so that you cannot log into it (by having a script that logs you out as soon as you log in). The users use the "Run as..." option, and run their programs using this administrator account. Thus they can't do everything as administrator, but programs that require the permissions can be run.

    3. Re:Finally... by Spy+der+Mann · · Score: 5, Interesting

      Chief among the offenders are:

      - Kodak Share software
      - Autocad
      - Any serial port emulation program
      - PowerDVD

      Shouldn't Microsoft Logo certification do something about this? I mean, isn't there a clause saying "Thou shalt let users run thy program withoust being administratorths" or something?

  3. Memories by FreeLinux · · Score: 4, Interesting

    Microsoft also proposes application manifests, which allow developers to define the permissions an application needs to operate properly

    I recall a few years ago when all applications even MS Office came with this type of documentation so that Netware administrators could install the software and configure the "rights" properly.

    I had recently encountered a few Windows applications where permissions were a problem and I was reminiscing about just that. Serendipity?

  4. A step in the right direction but.. by thundercatslair · · Score: 5, Interesting

    This might not change much, windows users are generally lazy. I see most people will just log in as an administrator and stay that way forever. The article didn't mention how easy it would be to switch to an administrator either like unix's su. No matter what microsoft does security will always be a huge problem, users don't want to change they like it easy.

  5. Re:Home by Queer+Boy · · Score: 4, Interesting
    I have a game, that no matter what I do to the permissions, will not run under any account other than the owner/administrator.

    I'd return the game to the manufacturer and tell them that was not one of the requirements on the outside of the box and you do not have access to play the game under an admin account. There's no reason a game should have free reign of a system.

    Incidentally none of my games on OS X require superuser or even an admin account. Although they require it for installation if you install anywhere else but ~/

    --
    Not since Marie-Antoinette played milkmaid has looking simple and honest been so fake and complicated.
  6. Re:'User' attitudes by immortalpob · · Score: 3, Interesting

    Actually you made me think of an interesting point, if M$ wants the vendor to produce an summary of the permissions necessary for a program to run, would it be possible to have the program reduce it's own permissions to have the minimum necessary. For instance if you open IE as an administrator IE could immediately reduce its permissions to the absolute lowest level possible, this WOULD help quite a bit.

  7. Re:Home by l0perb0y · · Score: 3, Interesting

    Yes, but how many games run SetUID root in OSX? (don't have a clue, just wondering)

    Games like Abuse do this in Linux and it's always getting new exploits. How many game developers are dedicated to tightening down the security of their code?