Longhorn to use UNIX-like User Permissions

destuxor writes "After years of Windows users abusing administrative accounts out of necessity, Microsoft promises that Longhorn will make better use of user permissions in what sounds exactly like what UNIX/Linux users have been doing for years. Hopefully this will fix the long list of applcations that cannot be run by a Least-Privilege User Account (LUA) while giving a much-needed security boost. Too bad "MS-root" can't watch over your grandmother when she opens emails."

Logo Program

[ShepyNCL]

Whilst this is a step in the right direction, Id be willing to bet that Microsoft will put a hefty fee on the LUA Pricniples program, putting it out of the reach of a lot of smaller software houses.

If this is the case, then users will once again become used to just allowing any old piece of software to install with higher privileges, totally defeating the purpose of this.

How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.

You can lead a horse to water, but you cant make it drink.

Re:Logo Program

[maxwell+demon]

How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.

I guess you meant it's a very low percentage ...

Re:Logo Program

[gl4ss]

*How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.*

I prefer to continue installation and have a functional system with the latest drivers than to run a ms certified box(driver certs never guaranteed them to not bsod either).

Re:Logo Program

[nine-times]

How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.

The percentage might be higher if the signed-driver thing didn't seem to be used for Microsoft's anti-competitive purposes. Or does no one else remember the fiasco where Windows would complain when you tried to install certified drivers from Nvidia, and instead direct you to install a Microsoft-altered version of the driver with crippled OpenGL?

Re:Logo Program

[nine-times]

WHQL. Yes. I believe it was when Windows XP first came out (or maybe it was still when win2k was new?), Microsoft had a version of the driver in the OS and on the Windows update site with a lot of OpenGL features stripped. It worked, but was a little broken and very slow, but Direct3D worked fine. The same version of WHQL signed drivers from Nvidia's site didn't have OpenGL problems, but Windows would still claim the drivers were unsigned, and Windows Update would always ask you to "upgrade" to Microsoft's version, even if the Nvidia drivers already installed were newer.

So basically, there were conspiracy theories that it was done on purpose, but nothing definitive. Seriously, am I the only one who remembers this? I wasn't even sure it this behavior ever really changed, but it was enough to convince me to always get drivers from the manufacturer (not MS) and ignore the driver signing warnings Windows threw up.

Re:Logo Program

[EvilTwinSkippy]

Actually it's a step backwards.

The one nifty thing Windows had over Unix in terms of security was VMS-like "Access Control Lists." While overkill for your average file server, when you get involved in large multi-user environments they REALLY help manage resources.

They are likely doing away with ACL's because they really slow down performance. Instead of checking two bytes in the file entry, you have do a database lookup, that can chain on and on if you have a complex set of rules.

(I implemented an object oriented ACL system for a website. If that qualified me to have a technical opinion.)

Re:Logo Program

[gewalker]

Nothing in the article says that MS is getting rid of ACL's, just that they are going to start writing software that is function with local admin. Slashdot title is misleading (what a shocker).

Tons of software from MS & others on Windows won't work correctly unless user is admin (and support for su equivalent from Windows is weak).

It is like running everything as dba, sure its convenient, but you are just begging for trouble. Worse, when all software is written assuming dba, changing it to run as a regular user is painful. This is the same situation as most windows software is in. Pain will be worse the XP/SP2 by far.

MS should also added chroot to Windows if they are serious about security. Such a simple concept, such a valuable addition. Of course, much windows software goes boom if you introduce chroot, but they should still add it to Windows.

Re:Logo Program

[univacmac]

I never gave a damn if my drivers were signed or not - i wanted the device to work, and if that was the only driver i could use, screw windows. :D

Re:Logo Program

[E-Rock]

Tons of software? Not sure on that one. Only app I know that can't be made to run as user is Quickbooks. The rest just usually need an ini file (that developers put into the system root) or need write access to the particular program directory.

My network has everyone run as User, even the developers. All the tools and programs run just fine with a tweak here or there.

Re:Logo Program

[FuzzyBad-Mofo]

Microsoft had a version of the driver in the OS and on the Windows update site with a lot of OpenGL features stripped. It worked, but was a little broken and very slow, but Direct3D worked fine.

Holy shit, that's evil -- and shows exactly why Microsoft should have been broken up ala Ma Bell. MS has shown time and again that they will impede progress/interoperability to further their monopoly. Why do users stand for it?

Re:Logo Program

[zippthorne]

The drivers that came with my motherboard are not signed, the driver for my monitor is not signed (it's quite old), I forget about the graphics card.. printer drivers not signed - what am i supposed to do? use my computer with the "default" monitor at much lower resolution and refresh rate than my monitor is capable of, and never print anything?

Re:Logo Program

[Verteiron]

While many gamers are Windows users, very few Windows users are gamers. Unless the user is a gamer, the odds are good they'll never know there was a problem. If the user is a gamer, they're downloading the nVidia drivers from nVidia, and ignoring the older ones available on Windows Update.

Re:Logo Program

[T5]

Let's go over this week's list of problems:

1) HP scanner software - as administrator, works fine. As user, press a button on the scanner and the software can't find the scanner (!).

2) Norton Systemworks - as administrator, updates just fine. As user, can't run updates.

3) Turbotax. Same as Systemworks.

And that's just this week!

Re:Logo Program

>> use my computer with the "default" monitor at much lower resolution and refresh rate than my monitor is capable of, and never print anything?

You installed Linux too? :)

Re:Logo Program

I don't know if the issue is related to openGL but my Dell Laptop running Win2K Server still shows an NVIDIA update every time I go to the Windows update site and has been for more than two years. The bad news is that the two times I got careless and selected all updates the windows signed driver resulted in my machine becoming unusable within an hour or so of the "upgrade". What a pain in the ass! As far as I can tell the signed drivers are no better than the unsigned - and in my case significantly worse!

Re:Logo Program

[E-Rock]

I don't use systemworks or turbotax here. For your scanner, I'd try giving the Users group rights to the program directory and then have it update the children folders.

Also, make sure you're letting the company know that you don't like that their product was writen assuming an insecure machine. It's the developers fault, not MS.

Take palm for example. It's a real bitch to get set up to run as a user. The software for a blackberry, which does all the same things, and more, has no problem being installed by an admin and then running as a user.

Re:Logo Program

[blackpaw]

2 & 3 - of course you have to be administrator to run updates.

'User' attitudes

[Jumbo+Jimbo]

I think that it's a good start and may well make a big difference in companies which use Windows as their desktop platform and have system administrators who can control user accounts.

This section from the article seems to have a good point: A strictly enforced LUA model could make it harder for worms and viruses to take over Windows systems. But Microsoft may have a tough time changing user and developer behaviour, even with new features that support the LUA regime in Longhorn, experts warn.

On home systems, we still currently have enough problems trying to convince people not to open dubious attachments, or with people giving sites permission to install practically anything on their machines. It will take a big shift in attitudes (or Microsoft forcing the user to jump though hoops) to make many home users have anything but admin-privilege accounts.

Re:'User' attitudes

[Cosine+Jeremiah]

Macintosh users adjusted rather well to OS X's behavior, which basically mimic's a GUI sudo whenever root privs are needed. I think if application installers start popping up the password prompt, people will figure out what to type in there.

On the other hand, perhaps people will end up getting too used to typing in the password whenever it's presented.

"Installer? Check! Installer? Check! Virus? Check!"

Re:'User' attitudes

[nine-times]

It will take a big shift in attitudes (or Microsoft forcing the user to jump though hoops) to make many home users have anything but admin-privilege accounts.

And I think that, right there, that's the problem many of us have with Windows' security (you know, when you hear all the MS-bashing about bad security?). Microsoft has sought to appease users/developers who don't understand/care about security measures, and so they've left out the hoops you would have to jump through in order to accomplish things. However, this means that viruses/worms/trojans/spyware/whatever have to jump through fewer hoops as well.

Personally, I'd like to see Microsoft be brave, risk alienating their customers, and do things the right way. The question is, has the bad press about security made Microsoft feel threatened enough to take that risk.

Re:'User' attitudes

[bheer]

Those are basically click-once managed-code apps that execute in a Sandbox.

Re:'User' attitudes

[erroneus]

One thing that Microsoft can and should do is to implement the traditional "you can't/shouldn't run this as root" thing.

Some programs refuse to run as root. Some will always warn you. This would be a VERY good thing. There are so many programs that shouldn't be allowed to run as Administrator and, really, should be the norm. User applications should always have this restriction in place. Wordpad can run as Administrator, but MS Word should not. MS Paint can run as administrator, but The GiMP, Photoshop or the like should not!

This would represent a pretty major shift in the user experience, but that shift could be about the only practical way to dig Microsoft's reputation for terrible security out of the hole it's in now.

I'd like nothing more than people to switch to my favorite OS, Linux, but in the mean time, I don't think it's worth all of the suffering that users experience in the mean time.

I think the best mode of operation is for Microsoft to define a white-list of applications that are allowed to run as Administrator and make it a pain in the ass for users to make adjustments to that list each and every time. This would encourage users to run as a user... but again, the problem of developers not updating their coding practices to match will be the biggest hurdle.

Re:'User' attitudes

[immortalpob]

Actually you made me think of an interesting point, if M$ wants the vendor to produce an summary of the permissions necessary for a program to run, would it be possible to have the program reduce it's own permissions to have the minimum necessary. For instance if you open IE as an administrator IE could immediately reduce its permissions to the absolute lowest level possible, this WOULD help quite a bit.

Re:'User' attitudes

[flithm]

This is absolute crazy talk. When I'm admining my server as root, I need to be able to run every application... and this is the way it is now. There's very few cases where something will refuse to run as root, and that's exactly the way it should be.

They key here is that many applications drop their privilege level to some predefined state, ie on many systems this is nobody:nobody.

A white list is no good, it'll just cause a whole bunch of people shouting "I need to run this as admin!"

Just let applications drop their privs, and if it's necessary implement a black list for rogues that don't do what they're supposed to.

Re:'User' attitudes

[AvantLegion]

But asking for the password is better than nothing. And the password pops up at predictable times - when installing software, changing system settings, etc.

Were it to pop up at an unusual time, I'd think a decent number of people would be suspicious. And for those that weren't, it would at least give them something to reference back to as to "where they went wrong". Problem with Windows is that the "security" fails silently, and soon you have a compromised system and no idea how it got that way.

Re:'User' attitudes

[Coryoth]

On the other hand, perhaps people will end up getting too used to typing in the password whenever it's presented.

"Installer? Check! Installer? Check! Virus? Check!"

I think the more disconcerting possibility is a shareware or other program that mimics the password dialog and sends the results off somewhere. People have a remarkable tendency to use the same password for everything. This could be a boon for password farming.

Jedidiah.

Re:'User' attitudes

[uujjj]

software is supposed to require admin privileges to install. It is the ability of software be installed WITHOUT an admin password that is the problem.

Re:'User' attitudes

[djmcmath]

It comes back to the whole "build a better idiot," principle, though. I mean, I have people come to me complaining that their computers don't work, and they don't know why.

"What is the error message?"
I don't know, something about how it won't work.
"What did you change?"
Nothing.
"Nothing? It just stopped working?"
Just stopped working, can't explain it.

Come to find out they logged in as Admin, deleted a bunch of files and registry keys, shut down, removed old hardware and installed new hardware, and then completely mind-dumped the whole experience.

Am I the only one with users like this?

Finally...

[TripMaster+Monkey]

From the article:

Application developers who log on to their development machines as administrators when they write code create programs that assume that level of privilege but have trouble when run by a user with reduced permissions, according to Brown's work, which estimated that 90 percent of Windows software can't be installed without administrator access to Windows, and that 70 percent won't run properly unless the user is an administrator.

It's about damned time this issue gets addressed. Every day at work I have to fight with this M$ limitation. Chief among the offenders are:

- Kodak Share software
- Autocad
- Any serial port emulation program
- PowerDVD

Most users must be elevated to Power User status on their machines to allow them to do anything nowadays, while there are plenty of programs (like the ones listed above) that will malfunction or simply refuse to work with anything less than full Admin rights. Sometimes, I have no choice but to give a user full Admin rights...I grind my teeth as I do so, knowing full well I'll be called to disinfect the machine of countless spyware programs within weeks, if not days.

Re:Finally...

[Anonymous+Luddite]

>> Sometimes, I have no choice but to give a user full Admin rights...I grind my teeth as I do so, knowing full well I'll be called to disinfect the machine of countless spyware programs within weeks, if not days.

That's where I live buddy.

We have a room full of people of varying ability who all have unlimited access because [censored p.o.s. software package] doesn't run otherwise. These guys surf a lot, clicking "yes" on every friggen dialogue box they see... literally can't go a full week without some exploit being loaded.

zero user buy-in for security - When someone shows up to remove the exploit-of-the-week for them, they get is static about "touching my machine". It pains me to be in the same room sometimes...

Re:Finally...

[zenray]

We've had the same issues at work but we've found that if you examin the bad applications closely they mostly want write access for the user in the 'programs files' area or the windows or winnt area. Giving users of these programs the proper write access solves most of the problems. We found one program that required a registery edit to work properly with just 'user' privilages. It is a major PITA to find out all these details to tighten security but we are doing it.

Re:Finally...

[Malc]

Can I recommend Aaron Margosis' blog? It provides a lot of tips for running as non-admin. His PrivBar is very helpful. He also talks about scripts that launch other apps with elevated permissions without having to log off - they change the user's permissions (give them admin rights), logon as that user, launch the app, and finally reset the permissions, all within the current user's session.

There's a lot that can be done to enable software to play nicely under a limited user account. Sometime's it's not worth the effort, but in some cases changing permissions on select registry keys and NTFS folders can get things working.

Re:Finally...

[Rycross]

We run all of our users as users at work. Some of the programs which don't work can be made to work by fiddling with file permissions and the security policies. For programs that just won't work without admin priveledges, we provide an admin account which has been modified so that you cannot log into it (by having a script that logs you out as soon as you log in). The users use the "Run as..." option, and run their programs using this administrator account. Thus they can't do everything as administrator, but programs that require the permissions can be run.

Re:Finally...

[Spy+der+Mann]

Chief among the offenders are:

- Kodak Share software
- Autocad
- Any serial port emulation program
- PowerDVD


Shouldn't Microsoft Logo certification do something about this? I mean, isn't there a clause saying "Thou shalt let users run thy program withoust being administratorths" or something?

Re:Finally...

Try a product called Deep Freeze. Won't matter what they do to screw up the machine then...a reboot resets the drive to the original image state. We use it in labs and desktops now.

Re:Finally...

[jd142]

I wonder how many of the programs on the list don't necessarily require admin access once they've been installed, it's just that one person installs the app and then it doesn't work at all under another user.

I know that we use PowerDVD here. We install it under an accout that is a member of the administrator's group. Then we log out and log in as administrator. We copy the profile for the install account to the default user. After that, any one who logs into the machine can use PowerDVD, even though they are only members of the user group, *not* administrators.

This is another big problem with windows apps, office products as well. A is an administrator. A installs an app on a computer. B is a user. B tries to run the app but can't because the first time the app is run, it wants to write to protected areas. Every time there after, B can be a member of the users group. But that first time, B has to be an admin.

In a large company with people moving to different computers throughout the day, this can be a real PITA. The only real work around I've seen is what we do. Create a special account for installing software. Install and run all the software the computer will ever need. Log in as administrator and copy the profile for the install account to the default user profile. Delete the install account.

Some programs are nice and give you an "install for all users" prompt, SecureCRT is one of the good ones I think.

Since most windows programs haven't even properly understood and implemented things for a multi-user environment, WordPerfect I'm looking in your direction, I'll be surprised if they can handle the LUA idea.

Re:Finally...

[squallbsr]

But sensoring the internet isn't always the solution. They sensor us here at work (I'm a developer), whereas most of the blocked sites probably should be blocked for normal users, but for our job it is getting harder and harder to get help or find examples and such when programming on a project. Google groups are blocked, all msdn blogs are blocked, most sites with the word "forum" are blocked. And it isn't like they are going to unblock these sites for us because they are useful for us.

For those of you sitting behind the proxy - don't forget that some people probably legitimately need access to the site you just blocked.

Re:Finally...

[TripMaster+Monkey]

Sounds like you need to take your network admin out to lunch and get him drunk...he'll take care of you if you take care of him... ;)

Memories

[FreeLinux]

Microsoft also proposes application manifests, which allow developers to define the permissions an application needs to operate properly

I recall a few years ago when all applications even MS Office came with this type of documentation so that Netware administrators could install the software and configure the "rights" properly.

I had recently encountered a few Windows applications where permissions were a problem and I was reminiscing about just that. Serendipity?

Of course...

The permissions will permanently be set to 777.

The problem has never been a lack of permissions in NTFS, just that no one uses them well.

Re:Of course...

[Koiu+Lpoi]

And there's a plethora of windows programs that require Admin rights just to run. The most bizzare one, in my opinion, is Battlefield 1942, although there are plenty of others, like PowerDVD. Just trying to use permissions properly in windows is a huge pain, if not impossible. I hope Longhorn fixes this, but I've got a feeling that it's just a re-routing of the current problem.

Re:Of course...

[Minna+Kirai]

The most bizzare one, in my opinion, is Battlefield 1942,

It's not really too wierd- it's actually a preview of the "remote attestation" features you may get from "Trusted Computing" next decade.

Battlefield 1942, like all online games using the PunkBuster anti-cheating library, needs admin rights so that it can examine every other program you are running, in case any of them is meant to help you cheat.

By running a game like that, you are not only giving that software full control of your computer, but also allowing the publishers to remote-control your PC whenever they like. TCPA may make this behavior more elegant and compartmentalized.

A step in the right direction but..

[thundercatslair]

This might not change much, windows users are generally lazy. I see most people will just log in as an administrator and stay that way forever. The article didn't mention how easy it would be to switch to an administrator either like unix's su. No matter what microsoft does security will always be a huge problem, users don't want to change they like it easy.

Re:A step in the right direction but..

[PPGMD]

It's already easy to run software at higher permission levels, you right click an executable, and select Run As, there is also a command line version of it as well.

The ability is already there in XP to run at lower permission levels for most applications, it's just that few developers have properly coded for it, as they assume the user will be administrator. I would say that 20-30% of this problem is the developers fault, because the tools are there.

Permission Differences

[buckhead_buddy]

No the Microsoft permissions in Longhorn will be different from Unix permissions...
They'll be patented. :-)

No, Unix uses Windows-style permissions

[badmicrophone]

well, it will once MS finally patents them like they did sudo.

http://taint.org/2004/08/20/024522a.html

--
Check out my music video!

LUA?

[JabberWokky]

I realize it's hard to come up with simple names, but it's going to be annoying trying to Google for stuff about Lua soon.

--
Evan (Really nifty language)

Years?

in what sounds exactly like what UNIX/Linux users have been doing for years.

I think you mean decades, not years.

XP does that. User permissions are not the problem

The permission mechanisms in Windows NT/2k/XP are pretty flexible. Unix is only just migrating from the old user/group/world permission set to access control lists, something that is readily available for just about everything in the Windows operating system, from files to individual registry entries.

The problem with Windows permission management is that a) it is completely hidden from the casual user, b) there are no guidelines how applications can be made to work with restricted privileges and programmers are too lazy to figure it out themselves and c) the default XP install makes everybody an admin, so there is very little incentive for application programmers to get it right.

Re:What?

[Lussarn]

Windows permissions are better in the sence "more advanced", but more advanced may also be translated to harder to use. Unix security is great for system files but not as good for user files where more advanced ACLs have the advantage. Most security is in the system files and it should be kept simple for the sake of correctnes.

Unix are beginning to get ACLs now with some implementations but I don't ever see it going down to the system files.

Re:-rw-r--r--

[Narchie+Troll]

Note that the discussion isn't about using literal Unix-style permissions -- the title is rather misleading. NTFS permissions are very good; in some ways, they are superior to classic Unix permissions (but not necessarily to Posix ACLs).

Instead, the Windows security model is (apparently) going to be more Unix-like, in that the demarcation between administrator (root) and normal user will be more strict. Mostly, this means making software developers allow their programs to be installed and run with limited permissions, unlike the current admin-fest.

There are many ways that Microsoft could fuck this up, but I hope they don't. Unlike some people, I have no investment in constantly repairing ruined systems.

Glad to see a first step..

[Antyrael]

While this has been a long time in coming, problems are bound to accompany a change of this large a scale. I see the biggest problem being older apps that do the job, but aren't under development anymore. As well, it would be great if MS could implement something that follows along the same lines as the su command for *nix. Just a quick userswitch at the command line, install a program, and bam, done.

Home

[MisanthropicProgram]

I'd like to add that I hope that some of the software developers will start to consider that people will be running their software under another account other than "owner". I have a game, that no matter what I do to the permissions, will not run under any account other than the owner/administrator.
I'd also like to point out that I've been following all of the suggestions and tips on /. regarding Windows security and permissions and I haven't had my machine corrupted - yet (knocks on head) Knock on wood.
Thanks guys!

Re:Home

[Queer+Boy]

I have a game, that no matter what I do to the permissions, will not run under any account other than the owner/administrator.

I'd return the game to the manufacturer and tell them that was not one of the requirements on the outside of the box and you do not have access to play the game under an admin account. There's no reason a game should have free reign of a system.

Incidentally none of my games on OS X require superuser or even an admin account. Although they require it for installation if you install anywhere else but ~/

Re:Home

[badfish99]

I'd also like to point out that I've been following all of the suggestions and tips on /. regarding Windows security and permissions and I haven't had my machine corrupted.

As one of the most common /. suggestions is to use Linux instead, I'm not surprised.

Re:Home

[tealtalon]

I'm assuming 2000 or XP here, but try shift right clicking and using run-as. It will prompt for an account. Enter the administrator password. That may help. Run-as is a crappy comparison to sudo, su.

Google for runas.

Re:Home

[Quarters]

"Incidentally none of my games on OS X require superuser or even an admin account. Although they require it for installation if you install anywhere else but ~/"

Would that game be Breakout, SuperBreakout, or Photoshop?

Re:Home

[freak4u]

As the way it should be. This is the reason why I and I'm sure a lot of other people don't run windows. In Windows, anybody can muck up your system. In *NIX, it's a lot harder. Hell, the run as service doesn't even work very well in Windows. Speaking of, does anybody else notice how Windows is reverting back to UNIX? There is speculation that NT is based on VMS (VMS -> WNT is incrememnting a letter, check the safemode stuff with disk0/part1/ nix type stuff). further reading

Re:Home

[l0perb0y]

Yes, but how many games run SetUID root in OSX? (don't have a clue, just wondering)

Games like Abuse do this in Linux and it's always getting new exploits. How many game developers are dedicated to tightening down the security of their code?

Re:Home

[sp5]

I'd like to add that I hope that some of the software developers will start to consider that people will be running their software under another account other than "owner". I have a game, that no matter what I do to the permissions, will not run under any account other than the owner/administrator.

Right on! There are dozens if not hundreds of programs that do not work unless they are run as administrator. Instead of fixing these applications, the vendors (eg. AutoDesk, SolidEdge) just says to give users Power Users (which is almost administrator) privileges.

I used to think this problem would go away as developers right with NT/2000/XP in mind but after more than 5 years since the release of 2000 this problem still exists, even with NEW applications.

IMO, this isn't a Microsoft problem, but lazy or ignorant 3rd party developers.

-sp-

Re:Home

[n0-0p]

There's no speculation at all, it is a fact. Windows NT is heavily derived from VMS; the lead architect for both is the same person. This is openly referenced in MS literature even. Why try to make it sound like a conspiracy?

As for the rest, no it is not harder to muck up a *nix system than windows, it is just much harder to configure and run a Windows NT/2K/XP system with multi-user priveleges. This is not due to the base OS, which has all the necessary support. It has been bad policy on MS' part by failing to standardize, promote and enforce these requirements in applications. Because of this, application developers (MS included in many cases) take the easy way out and build software that requires admin privs.

Please, do some basic fact checking in the future. Your entire post was very deceptive.

Re:Home

[sconeu]

Unfortunately, "The Sims" and "Mavis Beacon Teaches Typing 15" actually have that requirement (on their website). I think the Sims has it on the box, too.

Will someone tell the reason why on G-d's Green Earth that a typing tutor requires Admin?

The only thing I can think of is sloppy programming, writing to Program Files or to HKLM, instead of C:\Documents and Settings\{user}\Application Data or HKCU

Re:Home

[OldeTimeGeek]

I always say the same people designed both.

Then you would be correct. Many of the original NT designers worked on VMS at DEC, including their lead architect.

Here's the story: http://www.windowsitpro.com/Articles/Index.cfm?Iss ueID=97&ArticleID=4494

Re:Home

[jwgoerlich]

IMO, this isn't a Microsoft problem, but lazy or ignorant 3rd party developers.

I wholeheartedly agree. Microsoft Windows 2000/03 does have a detailed security model. You can grant or deny privileges to just about any file or registry key.

Microsoft has provided information on the security model. MSDN provides best practices for coding including where to place user settings and why. Technet provides details on what to secure and why. So, why do software houses put out products that require elevated privileges? Why do administrators setup people to run their computers as administrators?

Laziness! If you are a programmer, I kindly ask you to review the MSDN documentation and write secure code. If you are a network administrator, I suggest you learn the OS and secure the computers.

Network admins can use tools like Sysinternals Filemon and Regmon to see what these crackpot applications are trying to write to. Then, grant the user privileges to these areas. Admins who take the easy way out by granting administrative privileges are just plain lazy.

My two cents,

J Wolfgang Goerlich

Re:Home

[Foolhardy]

Read Windows NT and VMS: The Rest of the Story
Just because marketing says it's "new technology" doesn't make it so. NT originally referred to the codename N-10 Intel i860 CPU that it was going to run on.

If I run a malware email attachment as a normal user on my Windows box, it can damage at most that user's profile. That user doesn't have permission to write to anything outside their profile, and so can't damage anything else. Before it can even run, the directory or hash for the binary can't be on SRP's blacklist and the user needs file execute permission.
Although SRP wasn't introduced until XP, everything else has been true since the first version of NT. Show me malware that can bring down an entire Windows system when run as a normal user.
If you're running it as admin, then that's the first problem, isn't it?

What worries me about manifests

[tepples]

But here's something that worries me more about manifests:

Microsoft also proposes application manifests, which allow developers to define the permissions an application needs to operate properly and can be signed by independent software vendors to ensure integrity. Deployment manifests, signed by IT departments, will allow network administrators to dictate how much trust an application should have on the network, according to the documents.

Based only on this part, it appears that an application manifest must be published by an entity that can afford three figures USD per year for a code signing license. Developers of free software and proprietary freeware often cannot afford this annual fee. My worry is that Longhorn Home Edition may not permit users to install customized deployment manifests, locking users into using only programs with an application manifest, that is, proprietary commercial software.

Re:What worries me about manifests

[Lavaeolus]

Based only on this part, it appears that an application manifest must be published by an entity that can afford three figures USD per year for a code signing license

Not necessarily - I assume that the certificate an IT department uses to sign code will only need to be trusted within the company network. Windows Server is shipped with a certification authority software, and it is a (relatively) trivial task to create certificates that are trusted by all machines in a domain.

Years behind

[Sebby]

I find it odd how microsoft tries to say it's innovative when they adopt methologies that have been in wide use already for several,several years, but only implement them several, several years later.

I guess what they'll have to be innovative at is implementing it in such a way that it'll be secure, without breaking old software, but breaking old user/developer habits which caused the mess that requires them to implement this now.

Re:Years behind

[RLW]

You forgot the read the fine print.

M$FT is innovative in the realm of the MS Windows OSes. It does a better job of adding new innovative features to various MS Windows OSes better than anyone else does.

It's a very narrow scope.

UNIX-like?

[ryanvm]

After reading the article *gasp*, I wouldn't say Microsoft is moving towards a UNIX-like security system. Rather they are moving away from a stupid security system.

There's nothing inherently UNIX-ish about not giving normal users administrative privileges. Unless you're defining UNIX as any multi-user operating system. The idea of limiting normal users is standard in any decent multi-user operating system.

Re:-rw-r--r--

[maxwell+demon]

Well, the permission system will probably have a few more bits:

• The copy bit (allows you to make a copy from the file). Cannot be set even by the system admin, only cleared.
• The move bit (allows you to move the file to a different device, i.e. making a copy and at the same time remove the old). Same as above.
• The internet bit (tells that you are not allowed to start the program if you don't have an internet connection open. Ideal for spyware. Can only be set, not cleared.

Not Permissions, Just Common Sense Default ACLs

[foo+fighter]

This isn't Windows switching from their ACL model to a UNIX permission model.

One, they are pushing for 3rd-party developers to finally stop requiring simple apps like kid's software and low-end desktop publishing to be run with escalated privileges.

I mean, these application developers have had since '98 or '99 to work this out. But Window's lax defaults and lack of user education didn't force the issue. Microsoft is finally, /finally/, forcing the issue.

Two, it is Microsoft finally realigning their default ACLs to be at once more secure and more common sense.

It makes no sense for a home user to not be able to control their power settings or change their system time unless they have escalated privileges.

Really, this isn't so much Windows following UNIX as it is Windows following OS X.

Finally, and this is IMHO, going to a permission model would be a *huge* step backwards. I know UNIX die-hards will flame me for this, but it is my experience that ACLs are much more flexible and lucid than permissions.

Re:Not Permissions, Just Common Sense Default ACLs

[OmniVector]

a little clarfication on the os x permissions model. basically os x uses standard unix permissions right now. tiger's introducing ACL support. mac os x's good permissions model comes from well separated privledges, logical admin username/password prompts on actions that require escalation, and developers actually testing to make sure apps run/install without requiring admin privs. (heck you can install most apps in os x by just putting it in ~/Applications). technically windows has better permission control than most OSes out, it's just the defaults are total shit and the app developers don't take any responsibility to allow user-level installs and running.

Re:ACLs

[BAILOPAN]

Unix permissions _do suck, they're too simplistic and ACLs solve a lot of the problems inherent to it. For example, if I want to define a class of groups where each group defines a set of people allowed certain permissions to a directory, recursively, there's simply no way unless you use a filesystem that has an ACL extension (or something like XFS which has ACLs built in).

The article poster's saying "Unix Permissions" was being misinformative; Windows will never use the setuid-user-group-world style permissions, it has an ACL-like system. I think what's really meant is that this system will actually be USED in the future, it's pretty much ignored right now for most Windows desktops. As I read this, Microsoft will just be actually enforcing and organizing their own system -- which is a good idea.

Re:It's a good start...

[Narchie+Troll]

NTFS already has mount points. The interface to use them isn't entirely obvious, but they're there.

(Not that I don't agree with the general sentiment that Windows-style drive letters should be eliminated.)

About time

[n0-0p]

Seriously, the security community as been screaming about this for years just so MS could have parity with other multi-user systems. Of course, the big issue will be pushing other software vendors to compliance. Regardless, at least average users may finally not (by default) browse the web with an admin priveleged account. That should cut down on a lot of the malware issues that are encountered.

Are Unix permissions fine-grained enough?

[mrogers]

What I'd really like to see is something more fine-grained than Unix permissions: instead of giving every program permission to access all my files, I'd like to have multiple "hats" per user. Each user would have a personal equivalent of /etc/passwd describing their different hats (web, graphics, work, music, etc). A few programs like the shell, the window manager and the file manager would run with the user's full permissions, while other programs would be restricted to their own directories (eg ~/.mozilla), plus any files passed to them by the file manager (this could be implemented using pipes, or the file manager could change the permissions on the file). The file selection dialog would be provided by the file manager so it would be able to "see" all the user's files, but the application would only be able to access files selected by the user.

Just as the login process forks and drops its root privileges before running your shell, the file manager or window manager would fork and drop its full user privileges before running an application that was supposed to wear a certain hat.

Re:Are Unix permissions fine-grained enough?

[Queer+Boy]

I'd like to have multiple "hats" per user. Each user would have a personal equivalent of /etc/passwd describing their different hats (web, graphics, work, music, etc)

On UNIX we call this "groups" it's fabulous.

Re:Are Unix permissions fine-grained enough?

[omb]

I must be in a really bad mood today, _BUT_ when I hear stuff like this I really wonder what people have been smoking.

The UNIX rwxrwxrwx permission is fine for keeping applications out of the system files and to stop users installing malware as root.

Whenever users _say_ they want complex permissions what they mean is they want the OS to implement business logic rules.

E.g. these people can issue orders, these sign cheques, but if it is over $100 000 two must sign, except if it over $10 000 000 the CFO must sign, and only the CFO can see/change the CEO's remuneration package, and by the way, if the company name is Enron or Woldcom the CFO can, singleton, do anything without creating audit records.

Put this crap in your application, easy in Oracle/SAP/Peoplesoft with a little bit of scripting.

Give the rest of us, who are concerned that some guy in Tuvalu, Latvia or China dosn't own the whole machine a break!

Re:Are Unix permissions fine-grained enough?

[multi+io]

You can do everything with the *NIX permission model that you can with ACL

Now that's certainly untrue -- you can only assign at most three different permission sets for three different groups of users to a given file. "rwx" would allow eight different permission sets though. You can't, for example, assign "r--" to paul and john, "-w-" to lisa and mel, "r-x" to john and sue, and "---" to anybody else.

How often this is really needed is another question though.

Windows biggest problem

[erroneus]

I'd love to blame Microsoft for their own operating system problems, but really, the blame is mostly on the third party developers.

It has been this way from the beginning... as far back as I can see, developers skirted the BIOS because BIOS calls were too slow -- that was back when the BIOS was part of the OS. This is not a Microsoft problem, but it adds to understanding of how the culture evolved. "Forget about standards and interoperability, we need to deliver performance!" The error in judgement has been costly.

Today developers continue to write code that uses and exploits bugs and irregularities in the MS Windows operating system environment. If I learned nothing else from reading the comments found in the Windows Source code scandals, I learned that Microsoft became obliged to add code to emulate bugs and irregularities for specific applications to continue to run properly. In a perfect world, the app writers would write code using the APIs as documented. (And when bugs and irregularities were found, Microsoft would FIX them to discourage developers from utilizing the strange or buggy behaviors)

Developers should be mature enough to realize that any bug or irregularity found in an OS API should be considered subject to change and could break their software once it is fixed. It kinda bugs me that these "paid professionals" were and continue to be so short-sighted.... (meanwhile, these Open Source Amateurs rely almost exclusively on documented API functions and features simply because bugs and irregularities are often fixed quickly enough that to write code against them would mean they would need to update their code AGAIN.)

I think this kind of speaks volumes about where the real weakness in commericial software development lies -- in the motivation.

Re:Windows biggest problem

[kawika]

Very few developers are exploiting Windows bugs, at least not knowingly. The problem is that the standards changed.

When Win9x/FAT32 ruled the earth there were no protected directories and everyone, including Microsoft, tended to have writable files everywhere. A lot of programs saved their settings to files in their program directory, which seems bad until you realize that most of the rest wrote to an INI file in the Windows directory. But there were plenty of examples from Microsoft that did similar things.

When WinNT arrived with NTFS, the boys realized they had made a big mistake and started to segregate code (Program Files) from data (Documents and Settings). That let the OS have write-protected program directories, at least theoretically. The problem is that most app writers are not cooperating.

Re:Swing and a miss...

[cdwiegand]

I think the idea here is that the user could install a program to their "My Programs" folder - much like how when you run ./configure under [li|u]nix, you can pass --prefix=~ to install it in your own personal directory instead of system wide. May increase disk space requirements, but I personally would love it - each user can install their own software without affecting each other - great for terminal services environments... (IMHO)

Scrap it all and start from scratch

[vivin]

Thank God. I can't count the number of times I've had to deal with the stupid permission settings in Windows. Even for a simple thing like sharing files and folders over a home network. Their system is so convoluted and just completely stupid - pointing and clicking through various menus to set attributes... conflicting attribues... and all kinds of other crap. I was trying to set up access permissions on a home networked machine whereby it would authenticate against another machine on the same network. But you can't do that with "Workgroups". Only "Domains". All I have is a small home network of 3 machines - I have to set up a Domain Controller now? Why the distinction? All the "features" that microsoft has for their permissions system are simply inane and counterintuitive. To keep myself from pulling out all my hair, I just set the permissions to Everyone so that everyone and their mom on the home network can access the folder. But since it's just me at home, that's alright. And even then I've had trouble with that.

I'm glad they've decided to scrap it and move to a more unix-like. The next thing they should do is change their "automated task scheduler" tool. Make it more like cron. "at" just sucks.

Re:Scrap it all and start from scratch

[EvilTwinSkippy]

I'm still waiting for a decent (factory default) shell language.

Sure you can install Cygwin, but that's not the point.

Permissions in the Home vs. in the Workplace

[amichalo]

This doesn't solve all problems for Microsoft, just changes them.

While this will be a certain benefit to corporate environments with IT security policies and IT departments to come install/upgrade software for employees while at the same time ensuring that new version of FreeCell you got from a friend doesn't infect the whole corporate network, the issues become more troublesome for home users.

A home user will either end up running their system as an Administrator, thus circumventing the access permissions model, and/or they will become frustrated with the inability to install/update/access/delete files on their own computer.

How many times has the home user faced a property configuration wizard that tells them to contact their "system/network administrator" for more information.

My mother is not a "system administrator", but yet, to change her ISP, she had to put on that hat or call me to talk her through it.

No disrespect to Linux, but Microsoft would do well to study Apple's model for system security on a home implementation. Apple has, successfulyl in my opinion, abstracted much of the user security model to allow the home user to know nothing about CHMOD while still providing appropriate security when needed - like entering an administrative password (SUDOing the application) for installations and upgrades.

Last on the list of needed changes to the windows security model is to provide far more robust error/exception handling when a user does something like tries to rename a file that is open. Consider this closing argument:

"The file cannot be renamed because it is in use by another application."

versus

"The file 'foo.doc' cannot be renamed to 'bar.doc' because it is opened by 'Word.exe' would you like to:
- Cancel the renaming
- Save the document changes in Word and rename the file
- Discard the document changes in Word and rename the file"

Of course Longhorn will be Unix-like...

[uncoveror]

After all, the next Windows will be a version of BSD, a rip-off of Mac OSX. Claims of BSD's death are greatly exaggerated.

Re:Of course Longhorn will be Unix-like...

[Junior+J.+Junior+III]

Note: BSoD and BSD are not the same thing.

How About Better Error Messages?

[gspeare]

The problem I've always had with Windows permissions is that it's damned-near impossible to debug permissions problems. After two or three attempts with completely uphelpful error messages, I don't have the time to figure the exactly proper config, so Full Control it is.

If it were easy to tell what the problem was, it would be easier to have a secure system.

Re:It's a good start...

In XP:

Mountvol

Creates, deletes, or lists a volume mount point. Mountvol is a way to link volumes without requiring a drive letter.

Syntax

mountvol [Drive:]Path VolumeName

Come on over to Linux!

You have to be root to install almost anything.
You have to be root to mount a CD-ROM, USB device like a dongle or camera, SMB share or floppy.
You have to be root to burn a CD.

Now, everyone is going to start screaming that the above trollishness is bogus but, it isn't. Sure, you can easily get around most of this stuff and many distros do. How? They get around it by either giving world writable access to the device or by SUID on the application. It's really no different.

Re:Come on over to Linux!

[Narchie+Troll]

'Being root' and running a SUID CD burning application is rather different. In fact, it's entirely different, since you're granted no special rights as a user.

You do not have to be root to mount anything. That's what /etc/fstab is for, specifically the user flag. That is indeed a bogus claim.

Most programs can be installed as a regular user under $HOME. I've done it many times on systems where I have no root access. This includes everything from Lua to GTK+. In fact, very few Linux programs require root access to install and use properly.

Either you haven't used Linux, or you haven't bothered to learn how to use it properly.

Re:Come on over to Linux!

[Daytona955i]

Wow, so you mean that things are locked down by default and you have to specifically enable things like letting users burn cds or mount things?

You have to be root to install almost anything.
Yes and no, some programs allow you to install to your home directory and then you don't need any permissions. Other than that it's the same for any OS, windows included.... it just happens to be that with windows everyone's usually an admin.

You have to be root to mount a CD-ROM, USB device like a dongle or camera, SMB share or floppy.
You have to be root to burn a CD.
chmod my friend...

Now, everyone is going to start screaming that the above trollishness is bogus but, it isn't. Sure, you can easily get around most of this stuff and many distros do. How? They get around it by either giving world writable access to the device or by SUID on the application. It's really no different.
Actually it is very different and you don't have to give world writable access to the devices in question if you don't want to. Have you ever heard of groups? You could for instance make a cdwriter group and then assign users you want to be able to burn cds to that group. The big difference is that there is no way to really do this in windows. You're either an admin or you're not. Giving someone access to write to a cdrom drive won't allow them to say accidentally install some virus. If they do install some virus, it would be limited to things they have access to.

Oh and it's this way with all Unixes, not just Linux. I for one am glad to see windows is finally catching up to UNIX, hopefully they won't mess it up too badly. This wouldn't be the first time I thought windows was going to do something good, only to find they implemented it wrong or introduced a whole slew of other problems.

Re:Come on over to Linux!

[EvilTwinSkippy]

OSX: user == cattle
OSX/FreeBSD: admin == cattle rancher
VMS: User == Ameoba
VMS: admin == Crazed Hermit
...

Re:Come on over to Linux!

[NoMoreNicksLeft]

Reminds me of that VMS admin they found deep in the heard of some DEC building last year. From what I understand, he still doesn't believe that Compaq bought out his company, and they're having a hell of a time tracking him own in there. Late at night he somehow evades security cameras, sneaks out and defaces HP logos.

They say you can hear his screams of "thread-level security" echo through the halls.

Re:Come on over to Linux!

[Stonehand]

Won't work for dynamically linked libraries, or old SVGAlib programs that require root access. Likewise, there are programs that expect to have SUID access to write system-wide logs in /var or /usr/local. Using --prefix isn't going to magically fix applications that expect this.

The first bit can be worked around using LD_LIBRARY_PATH, but the latter cannot.

Re:Permissions - who cares - they need symbolic li

[EmperorKagato]

In reality that is what drive naming convention does. Especially using F: for a networked folder \\filer\production Behind the mask of C/D/E could be the \\devicename\partition\ Just windows gives you the convience of the drive name.

Not good

[Beatbyte]

I can easily see Microsoft patenting this technology once they have it implemented.

This can only further limit other OS's.

To me it feels more like a race between MS and OSS programmers to get the technology out there to be 'previous art' before we get shut out in the cold by our own legal system.

Actually unix perms are better

[0xABADC0DA]

Unix permissions are actually better anyway because they are much easier to work with. It's very easy to write shell scripts that deals with user/group/other permission, see what the permissions are in output from ls, modify in GUI dialogs (see Finder's Info panel for example). If also lets the entire be specified in a fixed-size integer in the inode, which makes file access faster.

What's needed is old unix permissions + ACLs to handle the exceptions. So the ls output might be: drwxr-xr-x+ ... with the + to indicate ACLs are present for the file.

This will change nothing

[Toby_Tyke]

Sure, this is a step in the right direction, but it will have zero impact on most users, for two reasons.

1. Most users will just log in as an admin and stay that way forever. Far easier and quicker than typing a password every time you want to install software.

2. Social engineering. By which I mean a pop up box saying "type root password here to see Paris Hiltons tits!". If Joe Sixpack actually used Linux, it would be no more secure than windows, because he would dish out that password every time a dialog asked for it. Or he would get so tired of typing it that he would resort to point 1.

"Fixing Permissions"

[Leebert]

The ones that annoy me the most are applications under Windows that, when installed using an administrator account, "Fix" the permissions on my filesystem for me. I believe the software that came with my old Canon PowerShot (A40?) did this so it could store pictures in the program directory. I mean, ferchrissakes, there's even a bloody "My Pictures" directory that's writeable by the user!

Re:It's a good start...

[binner1]

For those who have never really thought about this issue (drive letters vs mount points), here are a few of my thoughts on the issue. I'd welcome people to comment on why they think drive letters might be a good idea. Does anyone know why drive letters were originated? An inability of early DOS-like systems to do mount points that never died?

Although *nix has had the problem of strange names (a legacy thing) and changing naming conventions (/srv, etc) the idea that for the most part, you always go to the same location for the same thing is great. With drive letters, sometimes a cdrom is D sometimes E, somethings xyz...when you get into network drives, things are at the whim of the guy that setup the scheme in the first place. Is my user drive F or G (my workplace currently maps both).

If instead the user drive was always mapped to ..Docs & Settings\myuser, the network would gain more transparency. If you change jobs, you don't have to learn a new drive letter scheme (no big deal for us, but think of the users...won't someone think of the users?).

Anything that can be done to make things seem more transparent to a user without obfuscating other aspects of the system is good imo.

-Ben

Anyone seen this fortune cookie before?

[bcmm]

"Given enough time and money, eventually Microsoft will re-invent UNIX."

From a famous fortune cookie, can't remember which one.

Re:-rw-r--r--

[ergo98]

The submission of this story is so incredibly ignorant it boggles the mind, and already in the follow-up posts it's clear that many participants of this forum really are clueless about Windows security in the NT and after world. Windows has had extraordinarily pervasive, and extremely granular, security for many, many years. The idea that they're going to adopt "UNIX like" security, dumbing down their security, is absurd.

What Microsoft is doing is quite simply forcing application vendors to follow the rules regarding expected user rights, rather than relying upon the "see the world" leftover of the Windows 9x era. Things like applications that store user data in HKLM, which itself is admin writable only.

In fact, let me take a quote directly from the article.

"The [LUA] framework we're talking about has been there for ten years...

THIS IS NOTHING NEW. Microsoft is simply going to start separating the wheat from the chaff among third party apps (hopefully they take a close look at their own as well) to ensure that apps don't require more rights than they really should.

This is nice and all

[jayhawk88]

...but getting older programs working in XP was bad enough. Something like this is probably going to break 3/4 of the old Windows software out there, a nightmare for those of us in the corporate worlds. Cause, you know, Sue in Financials has 10 years worth of expense reports locked up in PeachTree Accounting 4.4 for Windows 95 and doesn't see why she should use anything else, and Doug in Facilities has a master key database in dBase 2.5 for DOS that nothing on the fucking planet can read any more.

Ugh, I'm already seeing the problems.

Cowpokes

[NateTech]

I think Microsoft needs a cattle prod for their Longhorn, to get it out the door.

Nice to see they're considering adding features added to other OS's 20 years ago, though.

MS pattern: big promises, partial delivery

[dpbsmith]

Microsoft is excellent at deflecting criticism by promising fixes, then delivering what are only modest improvements.

When Microsoft software has an obvious problem that competitive software does not, the general pattern is that a) Microsoft claims the next release will fix it; b) the next release falls far short of a fix but is nevertheless a noticeable improvement; c) applause from Microsoft fanboys drowns out those would observe they still haven't achieved parity with the non-Microsoft state-of-the-art.

Since Microsoft users live in a sealed universe--they're too busy keeping up with security patches, changes in API's, and evolving purchase and licensing plans to have the time to ever use any non-Microsoft software--Microsoft gets away with this pattern of "big promise, partial delivery"

Complaints about Windows 3.0 instability were met by the assertion that you "would never see a UAE in Windows 3.1."

Complaints about FAT fragmentation were met by assertions that NTFS would not require defragmentation.

Comments that Windows 3.X was far less usable than the Mac OS were met by assertions that Windows 95 would be just as good as the Mac.

Complaints that installing software under NT 3.x were met by assertions that NT 4.0 would not require rebooting....

GPO can do it all now , MS just restricts it.

[bardothodal]

You can do everything you want using Group Policy objects. Like another poster said , the problem is that it's hidden from the user and basically inaccessible from windows XP home. The other problem is the way it is implemented. Local Group Policy can not be applied to individual users or groups without resorting to cheap hacks. Even when you do the ACL trick you can only get Local Policies for 2 different users. The functionality for multiple Group policies to apply to multiple users groups and computers is there, It is just restricted to using over an AD domain. Obviously this was part of the plan to boost sales of Windows 2000. The point is the only way to get restrictive granularity on users on any given Windows machine is to invest in a Windows server , setup Active Directory and force users to log on to the DC. However you still have the Local User policy problem which automagically applies when there is no Domain Policy to be forced. Obviously the ability is there , it just needs to be implemented on all levels locally and over the wire. They could proaby do it tomorrow with a patch.

Re:Swing and a miss...

[Elwood+P+Dowd]

Installing software is an administrative task, not a user task. Software installation *should* require admin access.

Just one more example of MS not understanding the difference between administration and use.

No, no, no. You couldn't be more full of shit if you tried. In Linux, you can

./configure --prefix=$HOME

In OS X, you can

./configure --prefix=$HOME/Library

or leave your .apps in ~/Applications/. The whole point is to make it so that users can install applications without it installing spyware all over your system directories. Software installation shouldn't require admin privs. You should be able to do just about anything to your computer without effecting other users.

Re:Swing and a miss...

[Surt]

It is a problem. A user should be able to bring their own software to a system, sit down, and use it.

What they shouldn't be able to do is harm the system in any way by doing so.

ACLs in UNIX

[tepples]

Unix permissions _do suck, they're too simplistic and ACLs solve a lot of the problems inherent to it.

The UNIX® permissions model has had access control lists pretty much forever. Every user can belong to one or more lists of users called "groups", and each file designates a set of permissions ("Access Control") for a group ("List"). Some file systems allow for more sophisticated ACL behavior by specifying more than (access control, group) tuple.

But ACLs are broken anyway; the next wave of permissions architecture is capabilities, as seen in EROS and other research operating systems.

Re:-rw-r--r--

[be-fan]

The problem with the NT security model is that they violate an important principle of security: they aren't simple. Simple security systems are not only more likely to be correct, but they are easier to use. Ever ask *why* so much Windows software doesn't bother using the security mechanism? Ever try to code to it? It's ugly and complicated!

Mount points have been supported since 2000

[melted]

Mount points have been supported since 2000 in Windows. And hardlinks. ACLs and multiple streams per file were supported almost from the very beginning.

Before bashing something you should at least RTFM, otherwise you just look like a typical teenage Linux zealot.

Disable vs. prompt

[tepples]

Anyone can sign thier manifes (assembly), but if its not from a trusted source, you get a warning saying the cert could not be verified.

You're thinking of what happens when the action for "Install unsigned software" is set to "Prompt". The worry is that Microsoft will set it out of the box to "Disable" rather than "Prompt".

Just proves the old addage

[mrwiggly]

Those who don't understand UNIX are doomed to reimplement it. Poorly.

C'mon, Winamp!!

[Pionar]

This was why I had to drop Winamp. My choices were to either run Winamp as Administrator or not have access to the media library function.

Blah. It's a good thing iTunes rocks.

Re:C'mon, Winamp!!

[siliconjunkie]

This was why I had to drop Winamp. My choices were to either run Winamp as Administrator or not have access to the media library function.

Winamp is a TOTAL pain in the ass when it comes to running as a limited user, but there are a few ways to get it to work right without running as admin. The first, obviously, is to install Winamp to your user directory. This is not the most secure method, but with some care it can be (relatively) safe and certainly better than logging on as admin. The other way is a bit more complicated and involves a plugin and directions that can be found here.

Re:Windows != Unix

[Eric+S.+Smith]

Windows doesn't use a single filesystem root, so the concept of "chroot" doesn't apply.

The broader concept is that of putting processes in little restricted-filesystem "jails," which is perfectly applicable to Windows. A process could think that it's dealing with C:\blah when it's actually in C:\Program Files\Applications\Thing\blah. Expanding on the idea, you could expose a CD drive, but keep the DVD burner hidden, and so on. Perhaps you could even hide your Internet connection from a less-than-totally-trusted process that shouldn't need it.

Thank God the kids are moving!

[JThaddeus]

Adding a meaningful permissions scheme will either kill many of my kids games, force a repurchase, or give me loads of headaches. When we got an XP box, I thought "Great, no crap installed by teenagers." Then I found that none of their games would play without write ability to the game directory in 'Program Files'. So guess what? They are administrators, too. We're not talking small stuff or fly-by-night companies. My kids have worked very hard to keep EA Games in business. I'm glad they will be out of my house when Longhorn comes around. Let the university's tech support sort it out with them.

There were similar problems with Eudora which my wife uses for email. So, she's an admistrator, too. And Eudora had its own headache under XP--she and I could not share mailboxes as we had done under Win98, even if the mailboxes were in a shared directory.

Good thing I have my own Linux box. When the kids and their games leave, I'm getting the Mrs. a Mac and shinning on we're-all-administrators-here Windows for good.

Re:Swing and a miss...

[jwsd]

Installing software is an administrative task, not a user task. Software installation *should* require admin access. Just one more example of MS not understanding the difference between administration and use.

Who is going to be the admin for home users?

Re:Swing and a miss...

[Nintendork]

"The whole point is to make it so that users can install applications without it installing spyware all over your system directories."

What's the difference when you look at the end result? Very little. Users are still able to install Banzai Buddy, Gator, My Cool Search, $20/min. dialer programs, etc. The only difference is that instead of ghosting to restore a hosed system, you only have to delete the users profile/home directory after backing up the data files. Big whoop. You just saved a 1/2 hour of downtime for the user and 10 min. of administrative time involved in ghosting.

Ideally, only admins can install programs. Users home directories are for storing all their user data. If you need to lock it down further and prevent executables that don't need to be installed, you can use group policy to lock down allowed executables. The technology for doing these things is there. The problem is software developers with no sense of security. This is a developer problem and will exist regardless of the platform. If Windows had the luxury of having the majority of their users and developers being geeks with an iota of security concern, Windows wouldn't have such a bad rap.

-Lucas

Not to nitpick,but...

[spun]

That's what /etc/fstab is for, specifically the user flag.

Most distros use the owner flag instead and set ownership of the device in a script when logging on from the console. There is no good reason to allow someone who isn't actually sitting at the console to mount or unmount removeable media, and plenty of reasons not to.

As far as installing as a regular user, you are absolutely right, as long as the program doesn't want to use ports under 1024.

Re:MOD parent up, only post who knows what's going

[Narchie+Troll]

"Light-years ahead of anything Linux is offering" is only true if you're entirely ignorant of any security work done on linux. SELinux and grsecurity both offer features that NT entirely lacks.

And, as a response to my former post explained, "*incredibly* fine-grained" is also untrue. It's only fine-grained in comparison to UNIX permissions bits.

A downgrade

[jbolden]

I know I'm going to get flamed horribly for this, But I consider this a downgrade. The Windows permission system (which is essentially the VMS permission system) is far better than the one for Unix offering much better controls especially for large scale servers where administrative responsibilities are divided between teams. I think the real problem with Windows is that it didn't go far enough in implementing the VMS permissions model. On VMS its common for highly privileged users to run in an unprivileged state with few privileges except the power to grant themselves most privileges and then do the following:

a) Run in an unprivileged state until they get a privilege error
b) Determine if they really want to do the thing that caused the error
c) If yes temporarily grant themselves permission to do this thing. This is sort of like sudo but only grants one particular type of privilege not everything at once
d) Try again. If they get another permissions error on another permission repeat steps b and c.
e) Once successful (or they decide not to complete the action) then lower their permissions back down to their normal level.

The closest analogy for people haven't used VMS or a mainframe would be OSX when it asks you specifically before you do an administrative task.

This is way safer than Unix's system of permissions. The problem is that applications just fail for lack of privilege and the interface doesn't make it easy to bump all over the place. Frankly I think adopting the Unix model with less fine grained privileges is a major downgrade to NT. The problem is with the applications (including those written by Microsoft) not the OS.

Re:A downgrade

[Derleth]

I'm a UNIX guy and I agree with you, actually. If the VMS security model is implemented properly on Longhorn (or if it was implemented on WNT), MS would have something legitimate to gloat over when talking about how 'archaic' UNIX systems are. But MS couldn't do that with WNT or Windows XP and it won't be able to do that with Longhorn.

Backwards compatibility for applications is one piece of the puzzle, but not the most interesting one. You can run applications in a virtual machine or a sandbox and solve most of the problems. Think of something between chroot and WINE as the new 'Operating Environment' for pre-Longhorn applications that need to think they're running as Admin when they really can't be trusted with Admin-level access. This is nothing new, and MS could have done it in the original WNT.

The main problem for MS is that they feel the need to talk down to their users. The command line is too complex for their intended audience, so they have deprecated it and made it less powerful in favor of endless graphical wizards that walk you through everything. VMS style privileges are too complex, so they completely ignore the issue until their users are screaming at them, then they cruft on UNIX-style privileges and ignore the better but more complex VMS model originally part of their design.

MS thinks everyone who uses their OSes, even sysadmins, is unskilled labor. That is why they don't give people powerful tools: Powerful tools are complex, and liable to turn in your hand if you don't understand them.

(The unansked question is why Linux or the BSDs haven't adopted the VMS privilege model yet. I hope that becomes an option someday.)

Re:Windows biggest problem is Microsoft

[argent]

developers skirted the BIOS because BIOS calls were too slow -- that was back when the BIOS was part of the OS. This is not a Microsoft problem

It bloody well is a Microsoft problem. They had the ability to improve the performance of the BIOS, ANSI.SYS was frequently ten to a hundred times faster than the BIOS on a typical computer... all they needed to do was intercept the BIOS calls and perform the same operations they did with ANSI.SYS and they would immediately remove any need for people to go around them.

But they didn't. So your choice was ANSI.SYS, or direct hardware access. I went with the BIOS for my terminal program and half my code was "curses" style optimizations to avoid making extra trips into the BIOS ... as if this memory mapped display was a 300 baud terminal!

Similarly, the current mess with applications needing to write to %SYSTEMROOT% to install is Microsoft's fault, because for many years they recommended that applications do that... as near as I can tell so they could ship DLL updates through application vendors instead of coming up with their own update mechanism. The result of that? Administrator-level installers, DLL Hell, and viruses being REINSTALLED back into %SYSTEMROOT% by the system restore tools they created to try and work around the problems...

Not Microsoft's fault? Like hell it's not!

Re:Windows != Unix

[owlstead]

The idea of shielding applications is in the right direction, but the idea of virtual paths does not seem too usefull to me.

I would love to have the OS install an application, and then put restrictions on it. Games do not need to know what's in the "My Documents" folder; a Word processor should not be able to take over the screen like a game does. So we need to put applications within groups, and put default permissions on them (which the application can overwrite with the permission of the user).

Types of restrictions: memory uses, number of processes, threads, sockets, number of windows (and other widgets), file system access, calls to other processes etc. etc.

For this to work the OS will have to be on a different level then the current operating systems though, which are little more than glorified disk operating systems with a GUI. I mean, any install on Windows can mess up any other install, what's that about? And if the deinstaller is badly written, it can mess things up as well. Don't even think about talking dynamic link libraries, because that's what's really badly implemented.

Yes, there are many improvements in newer operating system, and I look forward to the new features in Longhorn, and I'll try out OS X out soon as well. Linux seems to be stuck with its age-old file based ideas, with applications spread out all over the disk. They are still more secure than Windows though, and SE linux is a good idea.

I can just see it now...

[mhollis]

On another forum I noted the howls of indignation and protest when Mac users who were used to the old System software took the leap to OS X with Unix permissions and accesses.

A number of us did our best to try to dissuade users from operating in "root" or god mode because it is dangerous. I recall being flamed for having tried to tell one poor soul about how he had regularly and routinely messed up his system by doing that and that if he decided to simply create a user who could administrate the computer, he'd be fine.

"I realize you want the operating system to 'be good' and work that way, but it doesn't. Sorry about that."

And now Microsoft is going to adopt Unix permissions. How wonderful. Apple has a pretty smaller user-installed base. I believe it's growing due to their hardware, like the iPod and their new Mac Mini but it took some patience from Apple gurus as well as Apple to help people over that "permissions things" hump.

Compared to that little dustup, Microsoft's adoption of Unix permissions should be a lot like dropping a 20 gigaton thermonuclear device on the computing world. Apple released a "Repair Permissions" script which should be run regularly after updates to verify and change back any mangled permissions. I'd imagine Microsoft will do the same -- in about three years