Slashdot Mirror
"Very Severe Hole" In Vista UAC Design
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.
If you install an RPM of unknown providence, you deserve what you get.
Otherwise, the packages are presumed to have been tested by the maintainers and to not destroy your system.
There is no such structure in Windows-land. You clearly do not understand how the system works if you think the two are comparable.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.
That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
Er what? For me, it only gave the nag screen when accessing the control panel, installing software, running software with administrative priveledges, or running Visual Studio. The Visual Studio thing is annoying, but other than that, all of the other things are the exact same sort of things that I have to sudo for in Linux. Except I'm not having to enter a password, just click a box. I'm not sure where the big gripe comes from, and honestly I feel like people are blowing it way out of proportion. Unless I'm coding (opening and closing Visual Studio) or changing the configuration of my machine, I never see the UAC box. So I barely see it during normal usage.
If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.
Just to be a pedant, I would like to mention that you can in fact do this on Windows. However, applications developers seem to be in love with the registry, despite the fact that it really offers them no benefits whatsoever. I mean, it's slower than just putting all that data in flat files...
I have lots of programs that work fine when I just copy them from one windows installation to another. Most of them are in my games folder, though.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.
MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).
A user has had the ability to install stuff in her home directory on POSIX machines for oh... probably since POSIX machines have been around. This isn't a "Mac concept". At most Apple has polished the idea to make it easy for non-geeks. And don't forget that OS X a.k.a Darwin is a POSIX-like implementation.
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
Actually, the concept was on the original Mac before NeXT existed. Mac applications would have the executable in the data fork, and any supporting 'files' in the resource fork. NeXT didn't want to implement forks, so they used folders instead. This let them store applications on filesystems that didn't support forks (e.g. FAT, UFS, etc), and so was probably a better solution.
I am TheRaven on Soylent News
I still don't understand where the supposed security gain is. Since when is malware unable to click ok itself?
UAC prompt opens in separate logical desktop. Applications from main desktop can not send windows messages to it which means malware will be unable to click ok itself.
Um, I think that he is saying that "do you want to delete file?" is a standard question. Win95 had it, mac os has it; Most Linux distributions are configured with rm in interactive mode.
No, it is completely different. For an MSI to run on windows, it needs to use the installer SERVICE which is running under the sytem account. This means that any installer inherently is running through a system user account. And if you had read the article, EVERY installer asks to be run as administrator in Vista, regardless of its intent. There is no exception made for a game, such as Tetris. RTFA yourself.
today is spelling optional day.
That's how most programs installed under DOS, so it definitely predates Darwin. Who'd have thought that DOS was more POSIX than Windows (at least in this one area)?
I am far from an RPM guru... but I have written a few in my day. Basically the way that an RPM works is you write a spec file which is just a script that tells RPM what actions to perform to install the actual binary. For example, put this file here, change its permissions, restart the running daemon associated with this package, etc. AFAIK the set of commands that you can give to RPM is limited, and I believe that you are not able to tell it to do things like load kernel modules. So sure, if you install an untrusted RPM it can do all kinds of nasty things like clobber your files, but there are limitations to what RPM can do. If you're really paranoid you can also run rpm with SELinux, which obviously has no analog in the Windows world.
#include ".signature"
Sorry, but linux and OSX only ask you for your password when doing potentially dangerous things. You are not prompted when moving files from one of your own folders to another of your own folders. You are not prompted when editing your own menus. You ARE prompted when doing something that will affect other users of the system, such as installing software site-wide. If you want to install a warez server under your own home folder, go nuts, you already explicitly have permission to do so.
Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so. Vista's all-or-nothing UAC is nothing more than an attempt to shift blame to the users, so that MS can claim to provide better security than ever before.
Sigh. The *point* of an App bundle is that you don't "extract" it. The OS knows how to read these things and treats them as part of the filesystem.
How we know is more important than what we know.
In theory UAC should behave like this as well. UAC is mostly a way of elevating priveledges, just like sudo, minus the password. Administrators on Windows actually run under lower priveledge accounts, and then elevate for specific tasks that require administrator priveledges.
See, the real problem is so many things in Windows requires Administrator by default. Even stuff that shouldn't. Thats the real problem here.
Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so.
You can do this in Window's too. It has a "Run As" option, and ACLs that let you any arbitrary number of users or groups' access to the file.
I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.
Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.
However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.
So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.
(Have you tried Vista yet?)
Actually it is different....
In a Unix shell when you run rm on a file you don't have permissions to delete it fails. It doesn't offer to help you screw up.
it sucked in the pre-beta days, but the released bits behave just as you describe. Anyone who says otherwise is mongering the FUD.
I actually use [Shift][Delete] almost exclusively.
/bin/rm -rf \!*'
Me too. Yet on unix (csh/tcsh) I always do:
alias rm 'ls \!* && echo -n "Remove (y/n)? " && if(y == $)
which, unlike "rm -i" prompts just once no matter how many files are being deleted.
I've run that way for over 15 years now (damn, I'm getting old) and never once deleted something by mistake.
Incorrect. The MSI installer service impersonates the privileges of the user that launched the msiexec.exe program that initiated the installation of the MSI package for the duration of the install.
Further, it is entirely possible to write an MSI package that can be run by a non-admin. Mostly, however, installers need to write to areas that make what's being installed available to some or all of the users of the system (e.g. \Program Files), and this quite properly requires admin rights.
Then the article is wrong. You can manifest an installer or exe to default to admin and UAC prompts, or AsInvoker if you know you can install without special access (installing to a user directory only for example). You can see more information here: http://channel9.msdn.com/Showpost.aspx?postid=2112 71
Problem solved! Nowadays, most QuickTime movies are just H.264+AAC, both of which are MPEG-4 standards, so support for said media files is far more widespread than the old widely-used QuickTime audio and video codecs.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
From the NSIS (Nullsoft Scriptable Install System) documentation:
RequestExecutionLevel none|user|highest|admin
Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.
It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.
More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".
So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin.You mean like modifying files that you don't have ownership of?
UAC does not, and has never, prompted users when they move files that they have permissions to. It does, however, prompt when you move files that are in the common desktop or in the common start menu folders.
Clearly, you don't understand anything about how Windows works. Windows has had access control lists practically everywhere in the OS since Windows NT.
Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.
slashdot ate the alias, it should say
/bin/rm -rf \!*'
alias rm 'ls \!* && echo -n "Remove (y/n)? " && if(y == $<)
You do know that app bundles are just directories called "ApplicationName.app", right? They are part of the file system. Also, those DMG files you get them from? Those are HFS+ (the file system format on OS X) images (similar to how ISO files are images of ISO-9660 file systems) which is why they get mounted.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
I could spend a lot of time beriding your ignorance, but instead, you can google three words--linux extended attributes--and you will understand for yourself.
"[T]he single essential element on which all discoveries will be dependent is human freedom." -- Barry Goldwater
Uh, Linux has supported POSIX Access Control Lists and Extended Attributes for quite a while now.
Heck, it dates from the days when ext2 was the king of filesystems, and that's a long way back. (Granted, at least on ext3, you have to specifically turn them on in mount options or with tune2fs, but on XFS, JFS and (to my knowledge) Reiser3 and 4, they're supported out of box.)
And when people say POSIX, they mean "real *nixes have had these features for, like, centuries". =)
What you're saying next? "Active Directory is so much more better authentication system than /etc/passwd, which is also a security risk that exposes encrypted passwords to users"? =)
This is commonly done in Windows in one of two ways:
1. Use RunAs to fire off a new explorer.exe process running in admin mode. Then do as much work as you want, as long as the process is started from that window, its all in admin mode. It's basically almost like firing up a term-serv window into your own machine. MakeMeAdmin is the same thing, but adds the elevated priv tokens to your regular profile for that one process (rather than starting a process in a different user profile).
2. Use RunAs to fire off a new cmd.exe shell running in admin mode. Then do as much work as you want as admin.
Now granted, UAC is sort of a weird hybrid thing, where you run as admin but cant do admin stuff without answering the prompt. But just turn UAC off, work as a non-admin (like a sane person), and use RunAs when you need it.