?

Log in

No account? Create an account

LUA part 4 (of 5): Changes in Windows Vista/7 - John C. Kirk — LiveJournal

Jan. 19th, 2010

03:39 am - LUA part 4 (of 5): Changes in Windows Vista/7

Previous Entry Share Next Entry

Comments:

[User Picture]
From:gaspodog
Date:January 19th, 2010 10:44 am (UTC)
(Link)
The approach taken by the UNIX / UNIX-like operating systems I'm familiar with is slightly different to this. Admin users are given access to the sudo command, which essentially allows them to execute commands as root. This has been around on the commandline since the early '80s, and is analogous to the 'Run As...' option in Windows.

Ubuntu and Mac OS X both have graphical interfaces wrapped around this (gksudo and Authorization Services respectively) which will prompt a user when something they're doing requires greater privileges, which I guess is quite similar to the Vista UAC approach. The difference is that even an admin user account doesn't have privileges to do everything - they just have access to sudo so that their credentials can be used to elevate to root privileges where required. This means that even a process belonging to the admin user can't comprehensively mangle the computer (just that user's individual files and settings), unless the user gives it access.

You can switch to running as root, however it's generally not advised as you can elevate to root privileges on demand. Mac OS X (and possibly Ubuntu) don't even have root passwords configured by default. You can set up one up if you desperately want to, but most people don't.

I remember reading a lot of the complaints about UAC when Vista came out, and being confused by them. By that point I'd got used to being prompted for my password when installing software for all users or performing certain administrative tasks. I suppose if people were used to running in an account with admin privileges it could seem annoying, but it really does seem like the best way to maintain a sensible level of security in a graphical operating system (for the average user). I guess the Mac/Ubuntu approach is slightly simpler, as the kind of LUA you describe only requires you to have one user account set up instead of two.
(Reply) (Thread)
[User Picture]
From:totherme
Date:January 19th, 2010 02:24 pm (UTC)
(Link)
Ubuntu does indeed not set up a root password by default.
(Reply) (Parent) (Thread)
[User Picture]
From:shuripentu
Date:January 19th, 2010 06:01 pm (UTC)
(Link)
Which (for those reading who may not know) doesn't mean the root account can be accessed without a password e.g. by just hitting enter; it means the root account can't be accessed, by anyone, at all. It sits on its plinth and anyone wanting root privileges must send up a request on the ladder of sudo.

Of course, there is the option to use sudo to set up a root password, and then you can sit on the plinth when you like. Which makes me wonder: does sudo instead of root grant any extra security beyond the mental check enforced by having to prepend your command with sudo and then type in your password? I mean, if you can get access to a sudo-enabled account, you can get root, and then you can do anything.
(Reply) (Parent) (Thread)
[User Picture]
From:gaspodog
Date:January 19th, 2010 07:25 pm (UTC)
(Link)
If you get access to a root account, you can do anything. If you get access to a sudo-enabled account, you still need to know the password to do root things.

There also isn't a handy account named 'root' you can try to guess the password for :)

It's not much, but it makes sense.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:January 19th, 2010 03:03 pm (UTC)
(Link)
I haven't used sudo, but it does sound like a fairly similar concept. There's a blog post here which discusses some implementation differences; the main issue seems to be that in Unix you can authorise a program once and then always run it as root, whereas in Windows you have to authorise it every time. Does that match your experience in Mac OS X?
(Reply) (Parent) (Thread)
[User Picture]
From:gaspodog
Date:January 19th, 2010 03:34 pm (UTC)
(Link)
Whenever I run commands (programs) which modify files outside the areas my default account can access, I have to use sudo to acquire the required privileges if on the commandline, or I will be prompted for my password if in the GUI. You can set things up deliberately so that they always run at a different user level, but I've never done this. This is broadly the same on Mac OS X and Ubuntu.

Some software will install components which run as root (or with higher levels of access) - but you get what you deserve if you install that sort of thing without thinking about where you've got it from and whether you trust the source.

On Ubuntu, 99% of the software I use comes from the Ubuntu software repositories, which I generally regard as a trusted source. Quite a few pieces of software will install components which require different user access from my own account. Some achieve this by having components run as root by various system scripts, others set up their own user accounts with the required access on installation and use that. Community vetting would quickly detect if anything from the official repositories was suspect.

I'm not quite sure the article you link to knows what it's talking about regarding the UNIX/Linux etc. side of things. There are problems with sudo, but to say that we've been 'plagued' by them is a bit over the top. It seems to conclude that the sudo approach wouldn't work with Windows because of the history of security on the Windows platform, not through any inherent problem with sudo (which is itself eminently configurable and can be set up in a variety of ways).

The Symantec article linked to basically seems to assert that sudo is a security hole because sometimes users are silly and run code they shouldn't. With all the will in the world, if an uneducated user has access to root privileges through any means then they have the capability to run malware and damage the system. The only way to protect them from this is to give them no access to such privileges and limit what they can do.

I personally think there's a lot more value in choosing a scheme, sticking to it, and then pushing for user education wherever possible.

Note: referring to UNIX as a whole is problematic, because whilst certified UNIX systems (which includes Mac OS X) and UNIX-like systems (like Linux) have a lot in common in the way they do things, they also do quite a few things differently. There are various choices for implementing LUA stuff, and different distros and OSes vary widely.
(Reply) (Parent) (Thread)
[User Picture]
From:shuripentu
Date:January 19th, 2010 06:23 pm (UTC)
(Link)
I'm not quite sure the article you link to knows what it's talking about regarding the UNIX/Linux etc. side of things. There are problems with sudo, but to say that we've been 'plagued' by them is a bit over the top.


I may be incredibly oblivious by nature, but if there was a plague, you'd think I'd have noticed it sometime in the last 10 years...

And yes, if a user has (potential) administrative privileges and is ignorant, then absolutely nothing can protect them from hosing their computer, and possibly their finances. User education is IMO much more important and effective than putting up security barriers, especially ones that said user can take down when they like.

I've had a look at the Vista UAC prompt, and I honestly don't think it does anything for user education. It says the user needs to give permission for a process to continue, and asks the user if they started that process. It says nothing about the most important aspect, which is that this process wants administrative-level privileges, which would allow it to modify system files and settings, and is the user certain that they want to allow this process to do so? This seems obvious to us, but we already know about and understand root privileges; the real audience are the users who are in the dark, and as it stands, they remain in the dark.
(Reply) (Parent) (Thread)
[User Picture]
From:susannahf
Date:January 19th, 2010 07:29 pm (UTC)
(Link)
User education is IMO much more important and effective than putting up security barriers, especially ones that said user can take down when they like.

YES. This is *exactly* exactly my point. Having set up my parents' new Win7 machine, I have to say, I like UAC. It makes windows more secure, more sudo-like. Which is Good. BUT, it doesn't in any way replace or reduce the need for user education. If anything, it increases it, since now you get scary boxes saying "jucheck.exe wants to run, should I let it?" WTF! (turns out that's java update - good explanation there guys!)

Given the choice, I would choose user education over software controls any day. Because an idiot user will disable the software controls, but a small amount of understanding goes a very long way - and yes I am referring to supporting non-techies. I tech-support for my parents and grandparents, who range from competent but not confident to positively luddite. And yet they can all understand and apply basic security rules if explained in a sensible manner (two of which are "if in doubt, don't click it. If frightened, turn the computer off, at the mains if necessary.")
(Reply) (Parent) (Thread)
[User Picture]
From:shuripentu
Date:January 19th, 2010 05:57 pm (UTC)
(Link)
I suspect the default of no root access, but instead the option to put users on the sudoers list, only applies to *nixes aimed at desktop use.

On FreeBSD, at least the last time I checked, sudo isn't on the base system, probably because anything you do with a server will need to be done as root anyway. If you use FreeBSD as a desktop OS, you can either install and set up sudo (which is genuinely trivial) or just su root in a terminal and do your rooty thing. I never came across, nor can I imagine, a situation on FreeBSD in which root privileges would be necessary in an environment beyond the command line, so just grabbing a terminal when needed was quick and convenient. (Window managers get lonely if there isn't a terminal open, you know.)

I must admit that, under *buntu's new regime, I am a bit irritated by having to prepend all my administrative commands with sudo, or type in my password whenever a graphical administrative tool brings up its sudo window. A single su root and a hard-wired paranoid reaction to a prompt ending in # is much more convenient. But admittedly slightly less secure, so I accept the added keystrokes, however grudgingly. :)

I'm getting the impression that Vista's UAC complaints were due to users being asked to give their authorisation for a lot of things, a lot of the time. (Not just when they want to install something or change a system setting, as we *nix users are used to and expect.) That, quite frankly, would piss me off immensely, and were I in that situation, I'd complain loudly too - and then turn UAC off, because the added security isn't worth the considerable irritation.
(Reply) (Parent) (Thread)