Slashdot Mirror
Longhorn to use UNIX-like User Permissions
destuxor writes "After years of Windows users abusing administrative accounts out of necessity, Microsoft promises that Longhorn will make better use of user permissions in what sounds exactly like what UNIX/Linux users have been doing for years. Hopefully this will fix the long list of applcations that cannot be run by a Least-Privilege User Account (LUA) while giving a much-needed security boost. Too bad "MS-root" can't watch over your grandmother when she opens emails."
Whilst this is a step in the right direction, Id be willing to bet that Microsoft will put a hefty fee on the LUA Pricniples program, putting it out of the reach of a lot of smaller software houses.
If this is the case, then users will once again become used to just allowing any old piece of software to install with higher privileges, totally defeating the purpose of this.
How many people do you think abort the installation of unsigned drivers, even when XP warns them that they are unsigned. I'd presume it is a very high percentage.
You can lead a horse to water, but you cant make it drink.
I think that it's a good start and may well make a big difference in companies which use Windows as their desktop platform and have system administrators who can control user accounts.
This section from the article seems to have a good point: A strictly enforced LUA model could make it harder for worms and viruses to take over Windows systems. But Microsoft may have a tough time changing user and developer behaviour, even with new features that support the LUA regime in Longhorn, experts warn.
On home systems, we still currently have enough problems trying to convince people not to open dubious attachments, or with people giving sites permission to install practically anything on their machines. It will take a big shift in attitudes (or Microsoft forcing the user to jump though hoops) to make many home users have anything but admin-privilege accounts.
It's about damned time this issue gets addressed. Every day at work I have to fight with this M$ limitation. Chief among the offenders are:
- Kodak Share software
- Autocad
- Any serial port emulation program
- PowerDVD
Most users must be elevated to Power User status on their machines to allow them to do anything nowadays, while there are plenty of programs (like the ones listed above) that will malfunction or simply refuse to work with anything less than full Admin rights. Sometimes, I have no choice but to give a user full Admin rights...I grind my teeth as I do so, knowing full well I'll be called to disinfect the machine of countless spyware programs within weeks, if not days.
____
~ |rip/\/\aster /\/\onkey
Microsoft also proposes application manifests, which allow developers to define the permissions an application needs to operate properly
I recall a few years ago when all applications even MS Office came with this type of documentation so that Netware administrators could install the software and configure the "rights" properly.
I had recently encountered a few Windows applications where permissions were a problem and I was reminiscing about just that. Serendipity?
The permissions will permanently be set to 777.
The problem has never been a lack of permissions in NTFS, just that no one uses them well.
This might not change much, windows users are generally lazy. I see most people will just log in as an administrator and stay that way forever. The article didn't mention how easy it would be to switch to an administrator either like unix's su. No matter what microsoft does security will always be a huge problem, users don't want to change they like it easy.
No the Microsoft permissions in Longhorn will be different from Unix permissions... :-)
They'll be patented.
well, it will once MS finally patents them like they did sudo.
http://taint.org/2004/08/20/024522a.html
--
Check out my music video!
--
Evan (Really nifty language)
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
The permission mechanisms in Windows NT/2k/XP are pretty flexible. Unix is only just migrating from the old user/group/world permission set to access control lists, something that is readily available for just about everything in the Windows operating system, from files to individual registry entries.
The problem with Windows permission management is that a) it is completely hidden from the casual user, b) there are no guidelines how applications can be made to work with restricted privileges and programmers are too lazy to figure it out themselves and c) the default XP install makes everybody an admin, so there is very little incentive for application programmers to get it right.
Note that the discussion isn't about using literal Unix-style permissions -- the title is rather misleading. NTFS permissions are very good; in some ways, they are superior to classic Unix permissions (but not necessarily to Posix ACLs).
Instead, the Windows security model is (apparently) going to be more Unix-like, in that the demarcation between administrator (root) and normal user will be more strict. Mostly, this means making software developers allow their programs to be installed and run with limited permissions, unlike the current admin-fest.
There are many ways that Microsoft could fuck this up, but I hope they don't. Unlike some people, I have no investment in constantly repairing ruined systems.
While this has been a long time in coming, problems are bound to accompany a change of this large a scale. I see the biggest problem being older apps that do the job, but aren't under development anymore. As well, it would be great if MS could implement something that follows along the same lines as the su command for *nix. Just a quick userswitch at the command line, install a program, and bam, done.
Expectations are for the unprepared.
I'd like to add that I hope that some of the software developers will start to consider that people will be running their software under another account other than "owner". I have a game, that no matter what I do to the permissions, will not run under any account other than the owner/administrator. /. regarding Windows security and permissions and I haven't had my machine corrupted - yet (knocks on head) Knock on wood.
I'd also like to point out that I've been following all of the suggestions and tips on
Thanks guys!
But here's something that worries me more about manifests:
Based only on this part, it appears that an application manifest must be published by an entity that can afford three figures USD per year for a code signing license. Developers of free software and proprietary freeware often cannot afford this annual fee. My worry is that Longhorn Home Edition may not permit users to install customized deployment manifests, locking users into using only programs with an application manifest, that is, proprietary commercial software.
After reading the article *gasp*, I wouldn't say Microsoft is moving towards a UNIX-like security system. Rather they are moving away from a stupid security system.
There's nothing inherently UNIX-ish about not giving normal users administrative privileges. Unless you're defining UNIX as any multi-user operating system. The idea of limiting normal users is standard in any decent multi-user operating system.
The Tao of math: The numbers you can count are not the real numbers.
This isn't Windows switching from their ACL model to a UNIX permission model.
/finally/, forcing the issue.
One, they are pushing for 3rd-party developers to finally stop requiring simple apps like kid's software and low-end desktop publishing to be run with escalated privileges.
I mean, these application developers have had since '98 or '99 to work this out. But Window's lax defaults and lack of user education didn't force the issue. Microsoft is finally,
Two, it is Microsoft finally realigning their default ACLs to be at once more secure and more common sense.
It makes no sense for a home user to not be able to control their power settings or change their system time unless they have escalated privileges.
Really, this isn't so much Windows following UNIX as it is Windows following OS X.
Finally, and this is IMHO, going to a permission model would be a *huge* step backwards. I know UNIX die-hards will flame me for this, but it is my experience that ACLs are much more flexible and lucid than permissions.
obviously no deficiencies vs. no obvious deficiencies
Unix permissions _do suck, they're too simplistic and ACLs solve a lot of the problems inherent to it. For example, if I want to define a class of groups where each group defines a set of people allowed certain permissions to a directory, recursively, there's simply no way unless you use a filesystem that has an ACL extension (or something like XFS which has ACLs built in).
The article poster's saying "Unix Permissions" was being misinformative; Windows will never use the setuid-user-group-world style permissions, it has an ACL-like system. I think what's really meant is that this system will actually be USED in the future, it's pretty much ignored right now for most Windows desktops. As I read this, Microsoft will just be actually enforcing and organizing their own system -- which is a good idea.
If you say "here goes my karma" I will bite you!!!
Just as the login process forks and drops its root privileges before running your shell, the file manager or window manager would fork and drop its full user privileges before running an application that was supposed to wear a certain hat.
I'd love to blame Microsoft for their own operating system problems, but really, the blame is mostly on the third party developers.
It has been this way from the beginning... as far back as I can see, developers skirted the BIOS because BIOS calls were too slow -- that was back when the BIOS was part of the OS. This is not a Microsoft problem, but it adds to understanding of how the culture evolved. "Forget about standards and interoperability, we need to deliver performance!" The error in judgement has been costly.
Today developers continue to write code that uses and exploits bugs and irregularities in the MS Windows operating system environment. If I learned nothing else from reading the comments found in the Windows Source code scandals, I learned that Microsoft became obliged to add code to emulate bugs and irregularities for specific applications to continue to run properly. In a perfect world, the app writers would write code using the APIs as documented. (And when bugs and irregularities were found, Microsoft would FIX them to discourage developers from utilizing the strange or buggy behaviors)
Developers should be mature enough to realize that any bug or irregularity found in an OS API should be considered subject to change and could break their software once it is fixed. It kinda bugs me that these "paid professionals" were and continue to be so short-sighted.... (meanwhile, these Open Source Amateurs rely almost exclusively on documented API functions and features simply because bugs and irregularities are often fixed quickly enough that to write code against them would mean they would need to update their code AGAIN.)
I think this kind of speaks volumes about where the real weakness in commericial software development lies -- in the motivation.
This doesn't solve all problems for Microsoft, just changes them.
While this will be a certain benefit to corporate environments with IT security policies and IT departments to come install/upgrade software for employees while at the same time ensuring that new version of FreeCell you got from a friend doesn't infect the whole corporate network, the issues become more troublesome for home users.
A home user will either end up running their system as an Administrator, thus circumventing the access permissions model, and/or they will become frustrated with the inability to install/update/access/delete files on their own computer.
How many times has the home user faced a property configuration wizard that tells them to contact their "system/network administrator" for more information.
My mother is not a "system administrator", but yet, to change her ISP, she had to put on that hat or call me to talk her through it.
No disrespect to Linux, but Microsoft would do well to study Apple's model for system security on a home implementation. Apple has, successfulyl in my opinion, abstracted much of the user security model to allow the home user to know nothing about CHMOD while still providing appropriate security when needed - like entering an administrative password (SUDOing the application) for installations and upgrades.
Last on the list of needed changes to the windows security model is to provide far more robust error/exception handling when a user does something like tries to rename a file that is open. Consider this closing argument:
"The file cannot be renamed because it is in use by another application."
versus
"The file 'foo.doc' cannot be renamed to 'bar.doc' because it is opened by 'Word.exe' would you like to:
- Cancel the renaming
- Save the document changes in Word and rename the file
- Discard the document changes in Word and rename the file"
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
After all, the next Windows will be a version of BSD, a rip-off of Mac OSX. Claims of BSD's death are greatly exaggerated.
The Uncoveror: It's the real news.
In reality that is what drive naming convention does. Especially using F: for a networked folder \\filer\production Behind the mask of C/D/E could be the \\devicename\partition\ Just windows gives you the convience of the drive name.
----- You know you have ego issues when you register a domain in your name.
You forgot the read the fine print.
M$FT is innovative in the realm of the MS Windows OSes. It does a better job of adding new innovative features to various MS Windows OSes better than anyone else does.
It's a very narrow scope.
...but getting older programs working in XP was bad enough. Something like this is probably going to break 3/4 of the old Windows software out there, a nightmare for those of us in the corporate worlds. Cause, you know, Sue in Financials has 10 years worth of expense reports locked up in PeachTree Accounting 4.4 for Windows 95 and doesn't see why she should use anything else, and Doug in Facilities has a master key database in dBase 2.5 for DOS that nothing on the fucking planet can read any more.
Ugh, I'm already seeing the problems.
'Being root' and running a SUID CD burning application is rather different. In fact, it's entirely different, since you're granted no special rights as a user.
/etc/fstab is for, specifically the user flag. That is indeed a bogus claim.
You do not have to be root to mount anything. That's what
Most programs can be installed as a regular user under $HOME. I've done it many times on systems where I have no root access. This includes everything from Lua to GTK+. In fact, very few Linux programs require root access to install and use properly.
Either you haven't used Linux, or you haven't bothered to learn how to use it properly.
Wow, so you mean that things are locked down by default and you have to specifically enable things like letting users burn cds or mount things?
You have to be root to install almost anything.
Yes and no, some programs allow you to install to your home directory and then you don't need any permissions. Other than that it's the same for any OS, windows included.... it just happens to be that with windows everyone's usually an admin.
You have to be root to mount a CD-ROM, USB device like a dongle or camera, SMB share or floppy.
You have to be root to burn a CD.
chmod my friend...
Now, everyone is going to start screaming that the above trollishness is bogus but, it isn't. Sure, you can easily get around most of this stuff and many distros do. How? They get around it by either giving world writable access to the device or by SUID on the application. It's really no different.
Actually it is very different and you don't have to give world writable access to the devices in question if you don't want to. Have you ever heard of groups? You could for instance make a cdwriter group and then assign users you want to be able to burn cds to that group. The big difference is that there is no way to really do this in windows. You're either an admin or you're not. Giving someone access to write to a cdrom drive won't allow them to say accidentally install some virus. If they do install some virus, it would be limited to things they have access to.
Oh and it's this way with all Unixes, not just Linux. I for one am glad to see windows is finally catching up to UNIX, hopefully they won't mess it up too badly. This wouldn't be the first time I thought windows was going to do something good, only to find they implemented it wrong or introduced a whole slew of other problems.
There are no trails. There are no trees out here.
The problem with the NT security model is that they violate an important principle of security: they aren't simple. Simple security systems are not only more likely to be correct, but they are easier to use. Ever ask *why* so much Windows software doesn't bother using the security mechanism? Ever try to code to it? It's ugly and complicated!
A deep unwavering belief is a sure sign you're missing something...
Reminds me of that VMS admin they found deep in the heard of some DEC building last year. From what I understand, he still doesn't believe that Compaq bought out his company, and they're having a hell of a time tracking him own in there. Late at night he somehow evades security cameras, sneaks out and defaces HP logos.
They say you can hear his screams of "thread-level security" echo through the halls.
Mount points have been supported since 2000 in Windows. And hardlinks. ACLs and multiple streams per file were supported almost from the very beginning.
Before bashing something you should at least RTFM, otherwise you just look like a typical teenage Linux zealot.
Those who don't understand UNIX are doomed to reimplement it. Poorly.
The broader concept is that of putting processes in little restricted-filesystem "jails," which is perfectly applicable to Windows. A process could think that it's dealing with C:\blah when it's actually in C:\Program Files\Applications\Thing\blah. Expanding on the idea, you could expose a CD drive, but keep the DVD burner hidden, and so on. Perhaps you could even hide your Internet connection from a less-than-totally-trusted process that shouldn't need it.
Mind the Gap
This was why I had to drop Winamp. My choices were to either run Winamp as Administrator or not have access to the media library function.
Winamp is a TOTAL pain in the ass when it comes to running as a limited user, but there are a few ways to get it to work right without running as admin. The first, obviously, is to install Winamp to your user directory. This is not the most secure method, but with some care it can be (relatively) safe and certainly better than logging on as admin. The other way is a bit more complicated and involves a plugin and directions that can be found here.
developers skirted the BIOS because BIOS calls were too slow -- that was back when the BIOS was part of the OS. This is not a Microsoft problem
... as if this memory mapped display was a 300 baud terminal!
It bloody well is a Microsoft problem. They had the ability to improve the performance of the BIOS, ANSI.SYS was frequently ten to a hundred times faster than the BIOS on a typical computer... all they needed to do was intercept the BIOS calls and perform the same operations they did with ANSI.SYS and they would immediately remove any need for people to go around them.
But they didn't. So your choice was ANSI.SYS, or direct hardware access. I went with the BIOS for my terminal program and half my code was "curses" style optimizations to avoid making extra trips into the BIOS
Similarly, the current mess with applications needing to write to %SYSTEMROOT% to install is Microsoft's fault, because for many years they recommended that applications do that... as near as I can tell so they could ship DLL updates through application vendors instead of coming up with their own update mechanism. The result of that? Administrator-level installers, DLL Hell, and viruses being REINSTALLED back into %SYSTEMROOT% by the system restore tools they created to try and work around the problems...
Not Microsoft's fault? Like hell it's not!