Microsoft Says Other OSes Should Imitate UAC

COA writes "Many Vista adopters find User Account Control irritating, but Microsoft thinks it's an approach other OSes should emulate. Microsoft Australia's Chief Security Adviser Peter Watson calls UAC a great idea and 'strategically a direction that all operating systems and all technologies should be heading down.' He also believes Microsoft is charting new territory with UAC. 'The most controversial aspect of Watson's comments all center around the idea that Microsoft is a leader with UAC, and that other OSes should follow suit. UAC is a cousin of myriad "superuser" process elevation strategies, of which Mac OS X and all flavors of Linux already enjoy. The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"

Re:biggest issue is filesystem

[Anonymous Coward]

NTFS use ACLs. FAT is only used by flashmemory devices nowadays.

Re:Patently obvious motivation.

[just_another_sean]

No you're not wrong. Even the default behaviour notifies root when someone tries to invoke it and fails. I'm not sure of the granularity but I am pretty certain that there are a number of configuration options for use in sudoers that set up notification for various invocations by different groups and users. (E.g. notify when random luser even tries to invoke sudo, only notify for adam-admin when his password is entered incorrectly).

Not to say that any old user can come along and figure this out quickly and easily but the facility is there for distros to design tools around it or to just provide a sane, default configuration.

Re:Um, no thanks...

[fritsd]

To be brutally honest though, I find it difficult to even *understand* selinux. I'm still only running it in permissive mode.. If Microsoft actually manages to show the user/system admin such audit messages and modify policy accordingly (based on system admin's response) then I think that's a good idea. Fetchmail and spamassassin spew some "denied" audits on my home computer but I haven't (yet :-)) found out how to modify the selinux policy. I think it shouldn't be done with interactive menus though; secure e-mail directly into root's mailbox is probably a bit safer.
Disclaimer: IANAsecurity expert, but I play one at home.

Re:Obligatory

[eneville]

To be fair, Apple's system is pretty easy to spoof.

Write a goofy screen saver and get people to download it. On install, say "you need to log in to install" which isn't unusual for a screen saver (at least not to the layman.) You put up a fake login dialog, and record their password. You install the screen saver in the user's folder, which doesn't require a password, and will trick the user into thinking it's all legit. Then you just transmit the saved password to God knows where when the screensaver activates.

I don't know if Microsoft's system offers more protection against that scenario.

doubtful, whats to stop the program from forking a process that takes a capture of the actual 'please enter the user/pass' screen, then displaying that and read the keystrokes ...

Re:Default Behavior

[frogstar_robot]

It's what Apple does more or less. The root user isn't actually involved but the first account created can assert administrator level privileges when appropriate by password.

Re:Or not?

[ArsonSmith]

Yea, I just double checked it and it was installed by root into Applications but as my primary user ID. This would allow me to upgrade it as long as I was logged in as my primary user.

I'm surprised the diskutility's fix perms didn't catch that though.

Re:Or not?

[Mattintosh]

The little detail dropdown arrow should open up to an elegantly indented list of what privileged actions the app intends to do. Copy a plugin into /Library/foo? Install a kernel extension? Delete all user documents?

It already does that. Exactly that, in fact. It opens up and says "The application needs to install a kernel extension." or "The application needs to install plugins into /Library/foo." I'm not sure how strict it is on what exactly those messages can and cannot say, but I've seen plenty of them pop up and tell me "The application needs keychain access for the keystore ABC." and things like that.

Re:Obligatory

[Necron69]

Gee, that's funny. My 1989 copy of the "UNIX System Administration Handbook" has a lovely section on the usage of sudo on page 32.

Evi Nemeth herself beat the use of sudo into my head during the Sysadmin Workshop class I took from her in '90. I used to hate it, but now I realize the old bird was right about sudo.

The UNIX world has this crap beat by more than a decade, with plenty of published prior art.

- Necron69

Re:Obligatory

[Dan Ost]

That's what the ctrl-alt-del combo is supposed to foil. A uncontentious user would remain safe by observing this, but the typical user wouldn't care (assuming they even noticed).

Re:Or not?

[jedidiah]

Sudo is just fine for everyday users. Ubuntu uses it extensively to great effect. Of course it isn't implemented as a "crude command line utility" as your message implies. Sudo hasn't been restricted to that for a long time. There have likely been gui wrappers for it for as long as it's been around (through things like tcl/tk and such).

If you think sudo requires a "black desktop", then your knowledge of Linux is at least 10 years out of date.

Re:Or not?

[egomaniac]

Mac OS X also much friendlier than other OSes in the event of a kernel panic. When you do get a kernel panic, you get a nice multilingual screen (graphical, none of this white-on-blue-80-column crap) telling you that your computer has encountered a problem and must be restarted. When the computer boots back up, it pops up a dialog explaining what happened, with the option to view the crash details and a Send to Apple option. Yes, I admit that I have had Mac OS crash on me, but only for "legitimate" reasons (a hardware problem in one case, a buggy 3rd-party kernel extension in another case).

Compared to Mac OS panics, the Windows BSoD is very primitive -- which is surprising, because BSoDs were once pretty common, and kernel panics on Mac OS X have always been very rare. You'd think Microsoft would have put more effort into it. Yes, I know BSoDs are rare nowadays, but faulty hardware can take any machine down, and it's nice to get such a clean experience from it.

Re:UAC == *TERRIBLE* Security Idea!

[The Mysterious X]

UAC has far too many false positives to be meaningful. You can't freaking open the Control Panel without a UAC prompt.

Yes you can.

Re:UAC == *TERRIBLE* Security Idea!

[throx]

Did you actually do any research before posting that rant?

First, you can open Control Panel and run most of the applets there without triggering a UAC warning.

Next, the UAC warnings aren't all that common once you have your machine set up and running. The exception there is the power user that actually tinkers with the system at an administrator level quite often, but for the normal user who just runs apps all day - they won't see a UAC prompt at all. If you want to disprove me - just list for me the normal user actions that trigger a UAC prompt, I dare you.

Lastly, how do you figure UAC is actually a bad thing and disabling it will improve your security? The far more reasonable approach is to stop using applications that need the privileges that UAC actually protects. In your world, apparently you should run everything as root on Linux as well because, well, sudo is just far too much of a pain to use when you're tinkering in /etc?

Leave UAC enabled. Stop running bad applications (if you must run Vista at all).

Re:Obligatory

[SL Baur]

You didn't read the patent. They describe sudo in it as clear prior art, then go on to describe why their system is different and better.

The patent is for a heirarchical security model where there are multiple levels of access not the all or nothing of sudo. Only the most privileged is like sudo, the other intermediate levels have some level of system access, but not all. It's kind of like capabilities, but a lot more limited since each higher level of security has access to all the lower levels. Fascinating and I can see why the patent was granted (I hope there's clear prior art in an MLS system of the day or even VMS, SYSPRV and SETPRV are close, but I'm not sure).

Re:Obligatory

[The_Wilschon]

The patent is for a heirarchical security model where there are multiple levels of access not the all or nothing of sudo.

Soooo, you mean something kind of like the Unix group:user permissions system, whereby you can give specific users (and hence specific programs) access to various things in a really quite fine-grained manner? Or better yet, Access Control Lists (present in various flavors of Linux, notably SELinux)?

I hope there's clear prior art

Please see above.

Sudo is a single quick and convenient mechanism for utilizing the security features that are built in to the Unix permissions system. It is not the entirety of the Unix security model.

Re:Obligatory

[dgatwood]

The patent is for a heirarchical security model where there are multiple levels of access not the all or nothing of sudo.

Spoken like someone who has never run visudo.

The sudoers file format [apple.com] offers a lot of flexibility---hardly an "all or nothing" design.

Re:UAC == *TERRIBLE* Security Idea!

[init100]

I've never had a single problem (spy/mal-ware, virii, etc) on this computer that's running Vista, without so much as an AV prog or firewall.

If you don't have anti-virus, how could you know that you are clean? Some (most?) viruses do not throw up giant announcements like "We are proud to announce that you are now infected with the latest XYZ/Win32 Virus". They could just sit there, silently sending your keystrokes to their creator.

Sudo no! TiVo yes!

[SL Baur]

That is correct, not that it matters and "all or nothing" is what is described in the patent as something that the patent does not cover. (Something implemented since 1999 is not prior art either).

Let me try to make this clearer, since noone seems to understand what they've patented. Sudo, ACLs, Unix Groups, Capabilities are not what is covered in the patent. The patent does cover something like TiVo. You can be root on your machine, but you are not allowed to change the operating system. The patent does cover something like the PS3, you can install Linux and be root on your machine, but you are not allowed access to the whole system. Moreover, that is exactly the language used in the patent to describe their invention - an OEM who wishes to restrict certain privileged operations on their system from an administrating end-user.

*Sudo is specifically not covered. Sony PS3s and TiVos are.

Hope that helps.

Re:Obligatory

[Afecks]

That is a firewall issue. Poison Ivy doesn't make permanent changes to Firefox, it simply injects some extra code into it. That is standard Windows behavior, you don't need to run as admin to modify another non-admin process. Anti-virus software can only detect known malware and it doesn't take much to turn known malware into unknown malware. Just an EXE packer or crypter will do the trick most of the time.

The problem is that when Microsoft includes security features that replaces third party software, people scream monopoly. When they leave these holes open to be filled by third party software, people say it's weak. So, it's weak. If your friend insists on downloading cracks or doing whatever it was to get backdoored, tell him to run ProcessGuard. It prevents protected applications from being modified. It can stop attackers from getting a foothold in most cases. That is, if you start fresh and train it correctly in the beginning.

Re:Obligatory

[misleb]

Windows has some limited POSIX support. Lack of fork() is one of the limitations.

Re:UAC == *TERRIBLE* Security Idea!

[Planesdragon]

A friend showed me Vista in a VM (clean install). He logged in and instantly came up UAC.

Wait... the first launch of a Microsoft OS tried to do something that requires administrative privileges? Like, oh, setup devices? Or configure a network connection?

Call me shocked. Next think you'll know, Linux will require you to type in a password when you log in.

Vista, like most MS OSes, needs a full cycle or two to configure itself to its machine. I ran the beta for a few months on my laptop (it's inevitable that someone will ask me about it, so I it was worth the cost of "free" to learn.) Once everything's setup, UAC simply did not launch unless I installed something new.

The best thing about UAC is that it's user-agnostic; even if you're an admin, you still need to explictly grant it. Which means that you hardly have a reason to run as admin.

UAC isn't "sudo"

[yeremein]

In Unix, you type a command, get "permission denied", and then run the command again, prefixed with "sudo".

In Windows, you type in a command, get "permission denied", and... crap. There is no "sudo". Instead, you have to find a shortcut to a command prompt, right-click and select "Run as administrator", confirm the UAC prompt, change back to whatever directory you were in, and then run the command. It's a huge pain for people who work from the command line.

Re:UAC == *TERRIBLE* Security Idea!

[Allador]

Have you run Regmon and Filemon on XFire to figure out why its triggering UAC?

What file & registry locations is it writing to, or special user privileges is it leveraging, to cause UAC to fire?

Have you googled about this? There are several solutions documented out there, which is to force XFire to always run in a privileged mode from the get-go, so it doesnt require elevation.

X-Fire triggering UAC isnt something 'useless' about UAC, its X-Fire doing things to your computer that would be 'really bad' when done by malware.

Re:UAC isn't "sudo"

[Redhawk]

Nice try.

runas /user:administrator

From the command line.

Let's ding them for their legit flaws, not stuff we make up.