Microsoft Caves, Will Change UAC In Windows 7 249
CWmike writes "Reacting to intense criticism of an important security feature in Windows 7 (which we discussed a few days back), Microsoft today said it will change the behavior of User Account Control in Windows 7's release candidate. In a blog post, two Microsoft executives responsible for Windows development, John DeVaan and Steven Sinofsky, said 'We are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. Second, changing the level of the UAC will also prompt for confirmation.' They said the changes were prompted by feedback from users, including comments on an earlier post Thursday by DeVaan in which he defended the modifications Microsoft made to UAC in Windows 7."
Intense? (Score:5, Insightful)
Intense criticism? Define "intense."
Isn't this how it's supposed to work? Release pre-production code to the community. Listen to comments. Respond to comments as appropriate.
Now define "over the top."
Re:Intense? (Score:5, Funny)
You take your logic and you get out of here!
Re: (Score:2)
Yeah, don't let the door hit you on the brain on the way out!
Re: (Score:2)
That's fine for the colors of a window frame, or the number of items on a pull-down menu, but OS security should not be driven by marketing and 'community feedback'. Microsoft's development methodology is fundamentally broken, and they don't seem to realize it.
Re: (Score:3, Informative)
Re: (Score:2)
That's fine for the colors of a window frame, or the number of items on a pull-down menu, but OS security should not be driven by marketing and 'community feedback'.
Why not? Security levels in many cases(especially UAC) is a tradeoff between usability and security. People have spoken on the Microsoft blogs that they are okay with some inconvenience of elevation prompts for UAC changes and are not willing to sacrifice the security. Microsoft listened to them. This actually looks like a sound development methodology to take into account user feedback.
Re: (Score:2)
Yeah - but apparently some of the less-technical MS brass preempted the engineers with a knee-jerk reaction something in the line of: "There's nothing wrong; it is as it is by design; you asked for it; move along!"
What's significant here is that they actually did an about face very shortly thereafter. Presumably when the real engineers and UX experts had told the brass what they thought.
Which is actually pretty significant as it hints that the actual MS engineers powers are growing.
Re: (Score:3, Interesting)
User: Ummm, this seems wrong...
MS: Nah, that's by design
Lots of users: WTF? No, it's wrong you idiots!
That last bit was somewhat intense but was only brought about my MS's initial attempt to wave away the problem.
Re: (Score:2)
The entire concept is broken (Score:5, Insightful)
Re: (Score:2)
Here's the secret: UAC has nothing to do with protecting users. Instead, it exists (at least in Vista) to reveal old programming problems lazy developers often made (such as writing within Program Files).
Of course the argument can be made that MS should've locked down Program Files from the beginning, but that's another discussion.
Re: (Score:3, Insightful)
The argument also exists that they should tell the user what's going on rather than silently redirect stuff.
Tell me the program's broken, tell me there's a problem, block writes to PFs, whatever. Don't just silently squirrel stuff away somewhere else and then show different users different versions of the same file...
Just wrong.
Re: (Score:2)
The concept is also out of anyone's reach. As computers become more and more ubiquitous, a smaller percentage of computer users are specialized. The typical user nowadays expects a computer to just work like a TV or microwave. They just want to use the wonderful computer and do not have time to read instruction manuals or even prompts. But when computers do not work, they freak out and blame the computer.
No one is immune once you reach out to average users. As Apple starts to penetrate the market, you will
windows users are STILL more tolerant than ME (Score:5, Interesting)
The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. "If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer," DeVaan said.
I get asked for my password when I do something in terminal that requires sudo, but other than that, I don't get a security prompt more than once a day on the average. Again depending on what I'm doing. I can go an entire day and not see one sometime.
I suppose I'd like to spend a day watching a windows7 user and see WHY they are getting all these UAC popups. I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency unless you're doing things that *I* might find common, which is not Joe User.
I have my mother's main account on her machine as a limited user, and she knows the admin l/p when needed. I bet she gets asked for it once every 2 weeks at most. (like when a firefox update wants to install, and then it's behaving exactly as expected and desired) THAT'S how I'd expect ALL "typical" computer users to want to see. I'm absolutely certain I'd be getting a phonecall after she got prompt number two (for no good reason) in the same day. Why does it keep doing that? Fix it!
Application for Windows (Score:5, Interesting)
What it actually came down to was the programmer was complaining about having to separate privileged code from non-privileged code.
Just about every app made for Windows run in admin mode and UAC will complain about it.
In *nix it would be like requiring root to run the tar or ls commands.
Re: (Score:2)
DVDdecrypt (runs without admin, but bitches about it)
Core Temp (has to run as admin)
Handbrake (can't update profiles unless it's running as admin)
Everything else runs just fine. (Office, Paintshop Pro,Firefox, Thunderbird,utorrent, Omea RSS reader, and dozen or more other applications that I'm too lazy to list)
Re: (Score:3, Insightful)
"I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency"
Yes, but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin; and thanks to the delights of 'backwards compatibility', Joe Sixpack will be running many of those applications for many years to come (heck, I have a copy of Word from the Windows 3.1 era on my Windows PC because I had to open old Word files and current versions woul
Re:windows users are STILL more tolerant than ME (Score:5, Insightful)
but this is Windows, which has been so poorly engineered for so long that roughly 97% of applications expect to be run as Admin; and thanks to the delights of 'backwards compatibility'
ya, but wasn't that what Vista was all about? Causing 80% of the existing windows apps to spontaneously combust and force the developers once and for all to fix their crap? What happened to that? (guessing... public outcry from the users and lazy devs pointing at MS as the blame) I thought that was the reason that Windows7 was going to make an even more solid, committed attempt to force the developers to adopt good coding practice. MS can't just continue to roll over on this issue.
Re: (Score:2)
"ya, but wasn't that what Vista was all about? Causing 80% of the existing windows apps to spontaneously combust and force the developers once and for all to fix their crap?"
Well, that was kind of my point: even if they get developers to fix their broken applications that expect to run as Admin for generic tasks that shouldn't need it, the old versions of those applications will still be around for years to come, and people using those applications will complain until Microsoft have to do something to make
Re: (Score:2)
What happened to it? UAC was panned by Slashdot, panned by the press, panned by Apple, panned by developers, and hated by users. Everyone blamed Microsoft for "breaking things" and "annoying prompts" when it was the crappy application developers' fault in the first place.
The moral of the story is that people don't care what's technically correct. They just want their apps to work. Microsoft absolutely can roll over on this issue, because their customers want them to.
Re: (Score:2)
They only panned UAC, because of it's incredibly flawed implementation. All of it was justified.
Before SP1 (which did quiet it down a bit) it came up way more frequently than it should have, and even after SP1 usually you had to click two dialog boxes with no password (and sometimes 3 or 4), instead of just one with a password, like on Ubuntu and Mac OS X.
On report (with a quote) even suggested that MS made it annoying on purpose, to get devs to fix it. That's a horribly disrespectful way to treat people wh
Re: (Score:2)
Current versions all read the old formats, you just need to select the obsolete formats you want to be able to open on install. Not realizing this cost you your computer literacy card. Tear it up or burn it within 24 hours, please.
Re:windows users are STILL more tolerant than ME (Score:5, Informative)
I've been running Vista on my home/gaming rig for over a year now. It runs Steam, Fallout, Oblivion, Half-Life, Office, DevStudio, Firefox, Thunderbird, KeePass, Paint Shop Pro, Python, AV, iTunes - lots of stuff, some old, some new, some MS, lots of ISV.
I probably encounter a UAC prompt every week or two. Going into the control panel is pretty much guaranteed to trigger it, ad does updating a device driver, or installing/updating software.
That's pretty much it. I have at least one app that writes settings into its program files directory, but Vista silently redirects that to somewhere in the profile directory without requiring UAC.
The reality is that MS has been pushing ISVs for years to stop relying on admin access. Look at the requirements for getting the Windows logo on your app - one of the reqs is that it has to run as a normal user.
Between that pressure and the fact that Vista does trap and redirect some of the most common accesses to HKLM and Program Files, most shrinkwrap userland apps work fine in Vista.
When you start talking about things that a guy in the IT group whipped up in a few days back in 1998 thinks aren't nearly as rosy, but most home systems don't have to deal with that crap.
Re: (Score:2)
The problem is that Window isn't doing uncommon things, the programs are. They are designed with WindowsXP-do-anything-you-like-as-admin philosophy, instead of restricting their business to their own areas.
In my experience, Vista seems to Admin Popups than Linux because the apps are doing stupid things, not because Vista was designed wrong. When I think about when Vista pops things up, it's the same times I'd be required to sudo in Linux: Installing/changing/deleting stuff globally for all users.
I don't
Re: (Score:2)
I can't believe that if the OS is engineered properly if there would be any reason for it with ANY frequency unless you're doing things that *I* might find common, which is not Joe User.
I can believe that a properly engineered OS would prompt that frequently, assuming enough improperly engineered applications. And there are plenty of crappy Windows apps floating out there to make this thing believable.
Re: (Score:2)
My wife stole my old cool acer ferrari 3400 when I got a new dell. It wasn't that it was faster than what she had, but she really liked the color of that thing (all shiny Ferreri red).
Anyways - she runs Vista Business. She's on a user account and she does not know my admin pw. She went a good 6 months using it every day before she experienced the UAC prompt. She had to install a new homebanking app.
I'd say it works as intended. For everyday work - even with Visual Studio 2008 - I don't get UAC prompts.
Re: (Score:2)
I suppose I'd like to spend a day watching a windows7 user and see WHY they are getting all these UAC popups.
Hell, I'm running Vista and I'd like to know what people are doing to get all these popups. Pretty much the only time I see one is when I'm installing a new game. And for some reason when I start Steam.
Re: (Score:2)
I work with Vista, develop software on it, and run in standard user mode (not administrator). I seldom get asked for elevation. The times that I do are when I am installing software, and changing a system setting. Other than that I never get prompts. My wife uses Vista also and she has never gotten a prompt.
I think the complaints about UAC revolve around the unfortunate set of users that think they are "administrators" or power users and run that way and then complain that every time they install the latest
Caves? (Score:5, Insightful)
This is hardly "caving". Microsoft was alerted to a security issue, and they're fixing it. How did this get spun into an anti-microsoft story?
Did I miss some story where Microsoft said they absolutely refused to fix the problem, but now a few days later they're giving in and fixing it?
Re:Caves? (Score:5, Insightful)
Re: (Score:2)
Not only that, but this very forum is overrun with people complaining about how many times UAC prompts appear in Vista, and this story is about Microsoft responding to users' complaints and reducing the number of prompts, only to then be told that now it had too few prompts. So, they're listening to users' complaints again and rolling things back.
But apparently that's "caving".
Re:Caves? (Score:4, Insightful)
A true slashdot user believes all these things
1) The flaw in XP was that everyone run as admin. Unix's system of running as a limited user and doing a privilege escalation via sudo each time you do something that requires admin rights.
2) The flaw in Vista was UAC, where you do a privilege escalation each time you do something that requires admin rights.
3) The first Windows 7 beta had a flaw where it was possible for malware to disable UAC programatically and thus bypass it.
4) Microsoft have 'caved' and changed UAC in the Windows 7 release candidate.
and he believes them simultaneously too.
Re: (Score:3, Insightful)
This is slashdot. Nuff said.
Re: (Score:2)
You want to know why? Microsoft eats babies and worships the devil! That makes them EVIL! Ergo, whatever they and anyone else associated with them does anything, it must be spun negatively no matter what.
Re: (Score:2)
Re: (Score:3, Informative)
"This is hardly "caving". Microsoft was alerted to a security issue, and they're fixing it. How did this get spun into an anti-microsoft story?"
They stated it was by design a few days ago, immediately after the issue was posted, that's why
Re: (Score:2)
Ya, you're point? It WAS by design. People complained, apparently enough that they responded by CHANGING THE DESIGN. Yes, that's valid to do.
Of course had they done nothing, I'm sure you'd be posting "see, M$ doesn't listen to their customers!"
Re:Caves? (Score:5, Informative)
Re: (Score:2)
I thought the criticism was that the way they are reducing the popup frequency, is by "auto-escalating" applications to higher access levels. From and engineering standpoint, that sounds like a huge glaring security hole. I would think that's why this is getting "spun".
Think of it this way. I install some app that accesses a file in program files. In order to do that I have to grand access privs, so it's now been escalated. Now that program has a browser component, that can be exploited. The exploit can tak
Still missing... (Score:4, Insightful)
the one thing that will make me consider not turning it off. A "do not ask again for this application" checkbox.
Come on. Every firewall/HIPS system I can remember trying the past decade or so has an option to remember the answer.
This obviously won't work for settings, but for when starting an application? God, it's so needed.
Re: (Score:3, Insightful)
Why should any application need that checkbox?
No application should be asking for privileges that much, unless it accesses special hardware (easy example: something akin to WireShark). A normal application (like FireFox) shouldn't need to ask for permission all the time. If it does, it probably has a design flaw.
If you grant full permissions in the way you are suggesting be made possible, then if a new version of the application alters it's functionality (or some time-bomb kicks in) then it can do things
Re: (Score:2)
You're almost there!
UAC was never about the user; it was about the developers. For ten bloody years now, everything necessary to write apps without admin requirements, without needing to write to places like program files, and so on, have been in Windows.
You could do it in WinME, you could do it in Win2000, you could do it in XP. Developers didn't bother. I *still* find programs that want to write user data to program files. Hell, I just about fell over when I discovered,installing the 'network' version
Re: (Score:2)
Re: (Score:2)
At some point you have to trust something. I've installed and ran thousands of applications over the past few decades, never has one included a time bomb that suddenly turned it into an evil machine-destroying demon.
If this by some miracle became a common thing to do for application developers, well, that's what we have anti-malware software for.
Point is, it _is_ an issue. It wouldn't be if UAC would let me tell it I trust the application I'm about to run, and accept that I won't be changing my mind about t
Re: (Score:2)
I should add that I'm fine with all of this being UAC settings and keeping it working like now by default.
That way UAC specifying _what_ the application is trying to elevate in order to do won't confuse the average user, while giving me the information I need to make a judgement.
Re: (Score:2)
But what happens if an application that you previously trusted is then discovered to have a fault that can be taken advantage of?
Suppose you trust Firefox, and then a few months later someone finds a vulnerability that allows some script to be run or whatever.
With the way people like to "set it and forget it", I don't think that would be a very good idea. I would rather know whenever an application is trying to do something critical. And for how rare that is, I'm happy to confirm that with a UAC prompt.
UAC is useful (Score:5, Interesting)
While many may scoff at UAC, it does do something very well. It foists responsibility on the user. While this may not be the nicest thing to do, it enforces perhaps the most difficult ideal. That being of awareness of security. User that have no idea, will not be aware of how to protect themselves. Perhaps I am being too forgiving but perhaps someone in Microsoft has actually come up with the philosophical crux of security argument in that no matter how well you design a system, no mater how many updates, patches, or how secure a system you make, someone at some point is going to break it. If DRM, or adware, malware, virus, or Trojans have taught us anything, is that no matter our perceived security we are all vulnerable at some level and all that it takes is someone willing to go the distance and break it. I think microsoft would be correct in its thinking that they will always be target #1, and for the foreseeable. That said, how do you protect yourself from all the bad guys in the world. Well you could create some wonderbar new technology that will secure your systems, and update it constantly to try and keep up with attacks, knowing that it will eventually fail. Or you can implement that and make your users aware of basic security issues, which would probably be about a thousand times more useful as most of the time these things happen when a stupid user opens a file he shouldn't or downloads something sketchy, etc...
I mean when you hose your box you have no one to blame but yourself. Usually it become apparent shortly after you tell UAC to go screw itself. Then you know. Now in the future when you download that mp3 and try to open it with media player, which doesn't reconize the file type, you might actually think. "Ok this may be a codec it doesn't know, or it is a very bad idea to get it to try and open it anyway, perhaps I will just update my codecs and see what happens".
Anyway I am sure some security professional (both IT and otherwise) will attest to having a user informed and aware of potential threats is far more useful than anything else.
Of course perhaps I am just giving Microsoft too much credit.
Re: (Score:3, Insightful)
While many may scoff at UAC, it does do something very well. It foists responsibility on the user. While this may not be the nicest thing to do, it enforces perhaps the most difficult ideal. That being of awareness of security.
I challenge you with the claim that you understand neither users, nor security.
Or, to bring up a car analogy, UAC is like asking the user for tire pressure, the mixture rate of gas and air, and the precise timings of ignition in order to drive a car. Then telling drivers they're stupid fucks because most of the cars on the streets stutter around or burn up.
Security education is an utter and total failure and most serious security professionals have long moved away from it. Today we train security awareness,
Microsoft Caves (Score:2)
Home of Microsoft Trolls?
Union Aerospace Corporation (Score:3, Funny)
This change is not enough. (Score:2)
There is another feature that auto-elevates that can and will be used.
When you use Explorer to drag and drop files into a directory you don't have write access to, Explorer will ask whether you'd like to use your Administrator permissions to complete the task. If you say yes, it will launch a program as Administrator that does the actual copy.
The problem is, this program in Windows 7 is one of the special ones that self-elevates without the UAC dialog box. Because Explorer doesn't run with Administrator p
Direct Link to the Flv (Score:2)
ZDNet's flash player sucks and didn't load so I found the actual flv.
http://media.cnetnetworks.com.au/video/2009/02/22470997/22470997.flv
This does NOT fix the issue (Score:2)
It's good they've responded, but this change does not fix the fundamental problems with win7's UAC whitelist.
The problem is that 70 applications are on the whitelist and are allowed to silently elevate without the user's knowledge. You just have to inject code into one of these 70 applications and you have admin rights. There are multiple ways of doing this. You can use the debug API, you can get them to load a DLL, use your imagination.
Here's a page with a sample exploit and a lot more information:
you can't fix UAC (Score:2)
It's simple, really. The concept of UAC is broken, not the implementa... ok, they're both broken, but you can only fix one of them.
The idea that the user can even make these decisions is fundamentally flawed and shows that MS is run by either geeks (who don't understand that human life is possibly with knowledge of stacks, heaps and pointers) or lawyers (who don't care about users at all and only want to see responsibility shifted to parties outside the company as much as possible).
90% of windos users can n
Re: (Score:2)
Re:I had a little glimmer of hope (Score:4, Informative)
Re:I had a little glimmer of hope (Score:5, Informative)
No... SELinux goes way beyond the access controls Windows NT has.
What you're thinking of is basically the POSIX ACLs. They've been in Linux for years. They don't see much use, because in the vast majority of cases, the old Unix permissions are good enough, and much easier to manage.
You have the standard owner, group, and everybody permissions on each file. If a file also has an ACL, it takes precedence.
Both Unix permissions and POSIX ACLs, as well as Windows's permissions, are a form of user access control.
SELinux is something else entirely - it's a form of mandatory access control, and it's applied to applications instead of users. A SELinux profile defines what an application is allowed to do - which system calls it may use, what files it has access to, and so on. This runs alongside the Unix permissions.
The closest analog in Windows is IE7's Protected Mode, where IE7 (and only IE7) is sandboxed and is unable to access anything but it's own configuration files. It's not really the same thing though - it's a sandbox, not a MAC implementation. A MAC implementation can be used to build a sandbox, but it can also be used to do far more.
It's not there to prevent users from doing something stupid. It's there to prevent applications from doing something they aren't allowed to, so that in the event of a security breach, an attacker is prevented from doing anything the application wouldn't normally do.
Re: (Score:3, Insightful)
Yup, SELinux is designed to allow government computers to process data of different classification levels, without causing all data to adopt the highest level.
For example, if you copy a confidential file onto an ordinary secret machine, that file then becomes secret. If SELinux is implemented, then a machine can be designed to process both confidential and secret data, without all confidential data becoming secret. However, setting something like this up and getting it certified by the NSA is a friggen hu
Re: (Score:3, Insightful)
The right approach is to ask, "In our situation, what do we need the software to do?"
Re: (Score:2)
But to continue on from that question, you need to find out which of the particular options available to you can do what you need it to. That does require knowledge, to an extent, of the options.
Re: (Score:2, Insightful)
Sounds like Group Policy Objects in Windows (running in a Domain).
If it sounds like it, I hope you haven't done much administrating Domains recently.
But maybe you're right, so... how can I create a GPO object that gives the following MAC profile to any instance of Firefox, started by any user:
- disallow connecting to ports other than 80 and 443
- disallow reading files in the User's home directory
- allow reading and writing files in %AppData%\Firefox, but not reading anything else in %AppData%
- allow writing files to %TEMP%, but allow reading only of the files created by F
Re: (Score:2)
Re:I had a little glimmer of hope (Score:5, Informative)
SELinux is not about account permissions. It is based on security contexts which may or may not involve user accounts. For example, the idea of "root" means nothing in SELinux. A process with uid root can't get out of its confined security context and go rampant just because of its root privilege.
Regarding Windows' filesystem access control, it is similar to POSIX ACLs found in almost all Linux distros. These ACLs define the fine-tuned relationship between users and filesystem objects. However, filesystem access control is only a part (albeit important) of OS security, and I think neither SELinux nor Windows UAC is meant to work only in the realm of filesystem control.
Anyway the above description is based on my vague memory of these stuff and I could be wrong.
Re: (Score:2)
For example, the idea of "root" means nothing in SELinux. A process with uid root can't get out of its confined security context and go rampant just because of its root privilege.
First, there are specific SELinux user contexts that refer to root (as opposed to a regular user), so, yeah, SELinux does have the idea of "root".
Second, you have to be able to administer the system somehow, and SELinux is part of the system. And, you really don't want SELinux being the part that restricts what can configure SELinux, because then one screwup and the system is hosed.
For a truly secure system, it might not be the case, but with every SELinux-enabled distribution I have seen, "setenforce 0" a
Misunderstand on SELinux (Score:3, Informative)
SELinux provides a consistent mechanism for runtime policy rules in terms of a execution context. That isn't to "provide the same granularity of Windows" so if you want that you need to look elsewhere.
The reason why SELinux is important is that it goes to the next step of control. For instance, assuming a system is configured correctly to access the Firefox binaries and necessary files, a problem still arises: The Firefox process, once launched, has access to everything the user that launched it has acces
Re: (Score:2)
Re: (Score:2, Insightful)
OP said:
You're aware the access controls of the Windows NT line is MORE fine grained than UNIX, right?
indicating that more fine grained controls via ACLs etc is better than the ugo model that standard unix uses.
I'm merely pointing out that this is a beyond stupid argument, since Microsoft often claims that the registry is far better than /etc config files, and we all know how fucked up the registry can be. Here's an article on why Microsoft thinks the registry is better than /etc config files: http://www.theregister.co.uk/2002/11/21/ms_paper_touts_unix/ [theregister.co.uk]
And for the morons who keep harping on SELinu
Re: (Score:2)
Re:I had a little glimmer of hope (Score:5, Insightful)
When I read the headline...that they were going to implement proper user account permissions (a la UNIX) so UAC wouldn't be needed. Alas, I was disappointed.
By that you mean "put password in everytime you need to elevate?". UAC does that if you're not an admin. If you are, because you're not really an admin, it just confirms you want to...if the app is digitally signed; if not, it give you a big scary warning box you actually have to read.
To be fair about Vista (can you do it, /.?) (Score:3, Informative)
I agree about the flawed permissions architecture.
I use Ubuntu ("Canonical's Debian") and OS X. But not everything runs in WINE so I do have an occasional need to run MS for contract work. I have no more patience for WinXP's constant updates (many requiring a reboot) and it's growing harder to find Win2K drivers, so I tried Vista. It is availble for 64-bit (more addressable RAM) and it has outbound firewall blocking (that's good). Vista looks better than previous versions and the UAC is truly NOT so annoyin
Re:To be fair about Vista (can you do it, /.?) (Score:4, Insightful)
It's my business where I install the OS. It will only be on one computer at a time, but if I pay the money, the OS goes where I decide when it suits me to reinstall, without a penalty to ME.
I agree completely. I always get modded as a troll, but forced activation really is one of the things that keeps me from using Windows Vista. Every product that I've used that has activation has, at some point or another, made it needlessly difficult for me to do something legitimate. I just refuse to deal with that stuff anymore.
I have enough problems with software working properly without the developers embedding kill-switches in their software.
Re: (Score:2)
I *have* run into problems with the Program Files folder in Vista. Some applications need to write in there and sometimes *I* want to write in there,
NO you do not want to write into program files. UNLESS you are an installer. Period.
YES some programs do - buggy programs violating coding practices for years. For THOSE there is another part of UAC (it is not all about prompts) called file system virtualization. As the name gives away it virtualizes some of the file system, such as "program files" and "windows". When switched on it lets the program believe it writes to the folders, while in reality the files are being stores below the current users fold
Re: (Score:3, Insightful)
"NO you do not want to write into program files. UNLESS you are an installer. Period."
Personally, I like to think of myself as a continuously modified script, running a bio-mechanical machine.
Far more often than not (nearly always) you do not want applications to write into the ./Program Files/. folder, however, I am not a program, and I need to write to various (program files) folders for many reasons, what if I need to install a plug-in that does not have an installer, perhaps a file got corrupted, and I
Re: (Score:2)
Personally, I like to think of myself as a continuously modified script, running a bio-mechanical machine.
Ok, then open PowerShell (or cmd - but that sucks) with the "run as administrator".
Also, as an admin you *do* have the right to write/modify those files (when properly elevated), although you *may* want to remove the "read only" attribute from the files first ;-)
Re: (Score:2)
Why the hell not?
What about applications that have system-wide (NOT per-user) configuration that is changed very infrequently? What's the problem with me, the system administrator, editing those so that when the service next reads its config it can grab them?
Silently redirecting things to a secret, non-shared location is just wrong.
Re: (Score:2)
What about applications that have system-wide (NOT per-user) configuration that is changed very infrequently?
They go into "\Users\All Users\" which is a symlink to (usually) "\ProgramData".
Or they go into the registry (if it is not large binary data). Yeah, I know this is /. and everyone is supposed to hate the registry. But that's the standard, anyway.
What's the problem with me, the system administrator, editing those so that when the service next reads its config it can grab them?
What's wrong is that it is a *nix paradigm used on a non-nix platform. When in Rome...
Silently redirecting things to a secret, non-shared location is just wrong.
Perhaps. It was merely intended to help those app which had blatantly been ignoring coding-standard for years. Really, using "program files" for sharing users' data is pretty hor
Re: (Score:2)
It's not sharing user's data, it's system-wide server/service configuration. It's not for all users, it's not even for any users!
I do understand it's the windows way, but it's not one myself or my (highly skilled, highly intelligent but admittedly mostly *nix focused) department knew about. Took aaaaages to figure out why the admin making changes to the server config didn't seem to have any effect on the service, which was running under a different system account.
I don't think it's an abuse, really.
Re: (Score:2)
Not to sound like an Apple apologoist (thoug I am a fan and a user) I think Window's UAC's annoyances go beyond 1 Apple commercial which hasn't ran in months.
Re: (Score:3)
> ...the Program Files folder in Vista.
> Some applications need to write in there
> and sometimes *I* want to write in there
So which part of "Program Files" don't you understand? Microsoft explicity says nothing and nobody should attempt to store any kind of data or user files under this folder.
Re: (Score:2, Insightful)
Proper user account permissions? Like the ACL system that Windows has had for more than a decade? The one that's more granular than what you can get on Linux? I guess Linux needs to ditch sudo and get real "user account permissions" too?
I don't see what you're getting at here: UAC fills almost the same role as sudo on a Linux system. Okay, I admit - it's a little different "under the hood" from the way sudo works under Ubuntu, but it legitimately works, and Microsoft actually did sit down and think this
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
UAC is nothing like sudo.
Sure, the prompts are, but it also restricts what can be run at startup (regardless of permissions) and messes around with various directories that MS have decided are sacred, silently redirecting write operations to other places.
It's annoying and broken.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
proper user account permissions (a la UNIX)
You mean "me, us, anybody" permissions? Windows account security is both more sophisticated and more granular. The problem is not with user account permissions, but with the out-of-the-box defaults. On this one, Microsoft can't win. If they do something that's appropriate for the average home user (a breed of cat most of /. can't even imagine), power users and tech writers get all over their case.
In the enterprise environment, the degree of user lockdown is easil
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Most Linux distributions I've used, including Fedora and Ubuntu, prompt me for my password whenever I try to go into some system menu or app, like the networking configuration. That's very similar to UAC popping up and asking for permission. My other option in *nix is to log in as root to make all those changes, but that requires knowledge and taking the time to switch users. Either one of these options i
Re: (Score:2, Insightful)
As I put it in another post ( http://it.slashdot.org/comments.pl?sid=1118669&cid=26751749 [slashdot.org]), SELinux is not just a user access control (UAC) system. The NSA didn't build it "to address this" as you said. Instead, they built it to implement a much wider range of ideas e.g. role-based access control and security context/type management.
I'm not familiar with the Windows Vista UAC so I can't make reasonable comparison between it and SELinux. However, if they are designed for different jobs, then we are really
Re: (Score:3, Informative)
Here [wikipedia.org] is some info on SELinux. Some people apparently don't Google things they don't know about before posting (still, its only been a few years) and others like to not explain things so they appear to know what they are talking about.
The patches for SELinux have the same goal as UAC (and vice versa). That is, they provide a means of controlling what various applications can actually access on a PC. With UAC, MS makes it pretty intrusive and seems to punish the user but overall it is a good thing. If th
Re: (Score:2)
The patches for SELinux have the same goal as UAC (and vice versa). That is, they provide a means of controlling what various applications can actually access on a PC.
They may have the same goal, but UAC is completely different in that it works within the existing security token and ACL framework.
UAC can't do things like stopping "cmd.exe" from writing to a file in C:\, while SELinux can do the equivalent. In Windows, the process runs with the security token of the user, and that completely controls what the process can do.
UAC just alters the security token so that processes aren't always as powerful as the user really is. Although you could implement some form of the
Re:I had a little glimmer of hope (Score:5, Informative)
What is generally discussed (and ridiculed) on /. is what is termed UAC prompts
UAC prompts are merely the visible part of UAC. It's no surprise that the most important parts are hidden beneath the surface (and why it is so stupid to turn it off).
UAC introduces a concept called process integrity. One can consider it a subdivision of user accounts as it works by modifying the security token associated with the process.
If a process is running in "low integrity" it has virtually no rights to file system, registry database, IPC etc. It may render on the designated desktop and may also use an isolated storage. It is important to point out that because this sits in the security token, it is an intrinsic protection. IE7 and Chrome leverages low integrity mode, so even if an "exploitable" bug is found in IE7/Chrome or in an addin, this presents a formidable barrier to compromising the machine or even to get to sensitive or personal data.
Because a low integrity process is so limited, the browsers cannot even download files, except to their local, isolated storage. Therefore UAC calls for a separate broker process which drives the familar "save" dialog and reaches into the isolated storage and marshals the downloaded files out to userland.
Aside: When Vista was compromised at last years pwn2own it was through a custom broker process which Adobe had bundled with Flash. In their wisdom they had allowed the broker process to launch external programs. They needed at to perform updates or something. Go figure. Other integrity level are normal and elevated. In normal integrity level you cannot perform any actions which requires administrative privileges. In that case you need to elevate your privileges. That is where the UAC prompt comes in. To summarize, while UAC addresses some of the same concerns as SELinux, it does so by reigning in the process as opposed to SELinux/AppArmour which reigns in applications by defining profiles with allowable actions per app. I suppose you could build something like UAC by using SELinux and inspecting the process, but I'm not aware that this is what SELinux does.
One obvious difference - an advantage to UAC if you will - is apparent in the case of browsers. If a browser needs to be able to upload and download files, it must have a policy defined for that under SELinux. Hence, a compromised browser can also read/write files from/to those same locations without the users' knowledge or consent. That's not possible with UAC and IE7/Chrome. There is only one way (if UAC is not buggy) to have files transferred, and that's through the broker process. Assuming that process is not buggy (looking at you, Adobe) the user *will* know when a file is being downloaded and saved.
Re:changing 6 with half-a-dozen (Score:4, Informative)
the uac model is inherently broken.
Citation needed. Along with suggestions on a better alternative.
Re: (Score:2)
The super-shotgun? Or alternatively BFG? (Though you may need a red key for that one.)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Please check with the editor for current rates for astroturf articles.
Re: (Score:2)
The idea was to make a joke about how although Slashdot is pretty anti-Microsoft, there's a veritable advertising campaign here for their latest product iteration. Irony, you know? Clearly I bodged it though...
Mod parent up (Score:2)
I completely agree. This ad campaign is getting seriously annoying. Not a day goes by without a story about Windows 7, an operating systems months from even RC, and which from what I understand, is essentially to Windows Vista what Windows 98 was to Windows 95.
Do we really need 5 articles speculating about how many versions Windows 7 will be released in?
Do we really need separate articles about every little supposed improvement over Vista?
Re: (Score:2)
Changing the UAC level is something you do maybe once (or maybe never, since in Win7 the UAC is a lot less annoying).. you'll never see it again.
However if an app manages to exploit a hole in one of MS' signed apps, run itself elevated silently and attempt to change the UAC level, you'll be warned (Of course if said app manages to do that changing UAC will be the least of your worries...).