Is UAC really needed ?

[Kerry Brown]

Difference is though that Gksudo only presents itself when the user
actually
runs it. Ie...if I run "gksudo myapp" I will see the prompt as you
describe
it.

If I just run "myapp"...I will never see a prompt no matter what it tries
to
do. Anything it tries to modify that it is not allowed will simply be
denied to it. An app not started under elevated permissions can never gain
elevated permissions.

The line "gksudo is a graphical frontend to sudo included with Ubuntu. It
comes up automatically when an application tries to perform an action
requiring root privileges." is actually a little bit misleading.

The only reason gksudo comes up automatically is because it is part of the
shortcut in the system menu for launching the app.

For example (from a commandline):

gksu synaptic

Starts the gksudo prompt for elevated access, and if I enter the password
correctly...then starts synaptic, the package manager. This is how it is
started via the system menu.

However...if I just run "synaptic"..I am greeted with a dialog from
synaptic
telling me it has no elevated access and can therefore not perform certain
system related functions requiring that access. And that's it. It will
never gain elevated access until I close it and restart it with proper
access.

That to me is where UAC's problem lies. An application not started with
elevated permissions can still gain them via the UAC Prompt when the app
tries to do modify the system.

And what's to stop a rogue program from using "gksu run_this_malware"? We
would be back to the same issue. Most current security can be bypassed by
using social engineering. That's the problem with using user accounts as a
security boundary. Presently it's a tool we use but in the long run probably
not a good practice. As OS' evolve this will have to be worked out. Until
this happens we are stuck with things like UAC and sudo or gksu.

 

[Ray Rogers]

Not exactly. Here is the difference as I see it (though if I am wrong,
someone feel free to correct me).

When I start an app, it is run under my user account priviledges which is
just a standard user. It has no root access and cannot modify anything
system specific.

If this app now tries to modify anything in the system, it will simply be
denied access. No prompt is shown, ever. Anything that the app tries to
modify in the system will simply just not be possible. If in this state,
the app spawns a malware process the malware can't do a thing.

UAC on the other hand, if I understand correctly, would now present the
user
with its prompt if it wants to allow the action or not despite the app not
having been started with elevated permissions. That is where I see the
problem with it. An app that has not been started with elevated
permissions
should never be able to obtain them, not even through a prompt.

If I want the app to be able to modify system settings, I have to manually
start the app via "su appname", enter in my password...and then the app
will run under elevated priviledges and anything will be possible. Prompts
are again not necessary because I gave it permission ahead of time. Now if
in this state an app spawns a malware process...it could go out and have
fun. This is the reason why it is never advised to ever run an application
under elevated priviledges unlss you really know what you are doing.
99.99%
of the time, it is not necessary to run anything with elevated
priviledges.

The only apps I ever run under elevated permissions are things such as the
package manager to install software and some of the system utilities to
modify system settings that are not stored in the user profile also
require
elevated permissions. Everything else...gets run as a standard user and is
under that level no risk to the system unless there is some exploit.

--
Stephan
2003 Yamaha R6

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯
å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

Thanks Stephan, it's all beginning to sink in now, just takes a while.

 

[Stephan Rose]

And what's to stop a rogue program from using "gksu run_this_malware"? We
would be back to the same issue. Most current security can be bypassed by
using social engineering. That's the problem with using user accounts as a
security boundary. Presently it's a tool we use but in the long run
probably not a good practice. As OS' evolve this will have to be worked
out. Until this happens we are stuck with things like UAC and sudo or
gksu.

You are right, nothing stops a rogue program from executing that. However,
there is one difference.

UAC prompts might be legitimate.

gksudo prompts, unless you as a user specifically started it....are not
legitimate. There is not a single piece of software I am aware of in
existance that would legitimately start a gksudo request at some random
point in time. Something would be seriously amiss if a standard app all of
a sudden presented that prompt.

It is of course still vulnerable to social engineering. Anything
is...nothing can protect the user from willingly destroying their system
after all. =)

--
Stephan
2003 Yamaha R6

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯
å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

 

[xfile]

But this comes from Windows users being spoiled for too many years because

they were always able to run with full administrator privileges,
unfettered.

That's indeed at least for me.

Thanks.

Hi Ray

There really is no difference if you are using a Standard account
(Recommended) in Vista. You see the same type of prompt where you must
select an administrator account and enter the password. (I'm talking about
GKSudo as implemented in Ubuntu here.)

Gksudo, in Ubuntu locks the keyboard, mouse, and window focus to prevent
anything from interacting with the confirmation dialog. UAC in Vista runs
on the Secure Desktop that prevents anything from interacting with the
confirmation dialog.

If you are running Vista with an Administrator account, then you see a
different UAC confirmation dialog on the Secure Desktop that only requires
a click on the Continue Button.

Actually, with Vista, you can even add another layer of protection by
requiring a Trusted Path Entry with UAC. This would require pressing
CTRL+ALT+DEL as an extra step in the UAC confirmation. With this extra
layer in place, you would actually need to deal with 3 dialog boxes on a
UAC prompt.

Reference:
Comparison of privilege authorization features - Unix, Linux, Vista:
http://en.wikipedia.org/wiki/Comparison_of_privilege_authorization_features

Hatred really isn't too strong of a word to describe some users almost
violent reaction to UAC. But this comes from Windows users being spoiled
for too many years because they were always able to run with full
administrator privileges, unfettered. The problem was that this resulted
in Windows being the most unsecure platform of all operating systems. I
think we should just go back to DOS and make everyone run everything from
a command line for a short time, just to show them that one extra click
really isn't that big of a deal. )

--

Ronnie Vernon
Microsoft MVP
Windows Shell/User

Maybe hatred was a rather strong word to use, but my question stands.
What is so different with UAC than how it is done in Linux, is it more,
or less secure, other than the user interface? And that's just a question
of personal preference, or so I would have thought.
--
Ray Rogers

what the hatred of UAC is about[...]

Don't know about others, no hatred, except don't see any necessity of
its existence and it is annoying, plus it may still interfere one's work
when it is set to OFF.

But no hatred.





There is a major flaw with this entire approach (in any OS). The issue
is
that a lot of malware, trojans, etc. tend to install themselves via
exploits. Exploits by their inherent definition usually defeat the
security
mechanisms in place. No security system is invulnerable to exploits.

That is why I prefer Linux's approach to the problem rather than UAC.
UAC
will still let the program do whatever it wants if the user clicks
Yes.
Linux on the other hand (save for exploits) the program has *no
chance*
whatsoever unless I personally started it with elevated permissions.

They key difference being between acting and reacting.

It's impossible under Linux to accidentally start an app with elevated
permissions! It just simply takes too much "work". It's a decision I
have
to make ahead of time.

UAC all it takes is a wrong accidental mouse click on a prompt as all
I am
doing is reacting to its prompt.

--
Stephan
2003 Yamaha R6

§g???«ä?¥X?¤é???????
§g???§Ñ?????????

Stephan, explain this in words of one syllable if you must, are you
saying that if Microsoft had, instead of a clickable prompt, created a
root password entry box, it would be as secure as Linux in this area?
The reason I'm asking, is that I'm having a difficult time
understanding what the hatred of UAC is about, and how it differs from
Linux. I do have Fedora on one of my boxes and I see no difference
between entering root and UAC, other than what you said about an
accidental click.

 

[xfile]

Thanks.

Difference is though that Gksudo only presents itself when the user
actually
runs it. Ie...if I run "gksudo myapp" I will see the prompt as you
describe
it.

If I just run "myapp"...I will never see a prompt no matter what it tries
to
do. Anything it tries to modify that it is not allowed will simply be
denied to it. An app not started under elevated permissions can never gain
elevated permissions.

The line "gksudo is a graphical frontend to sudo included with Ubuntu. It
comes up automatically when an application tries to perform an action
requiring root privileges." is actually a little bit misleading.

The only reason gksudo comes up automatically is because it is part of the
shortcut in the system menu for launching the app.

For example (from a commandline):

gksu synaptic

Starts the gksudo prompt for elevated access, and if I enter the password
correctly...then starts synaptic, the package manager. This is how it is
started via the system menu.

However...if I just run "synaptic"..I am greeted with a dialog from
synaptic
telling me it has no elevated access and can therefore not perform certain
system related functions requiring that access. And that's it. It will
never gain elevated access until I close it and restart it with proper
access.

That to me is where UAC's problem lies. An application not started with
elevated permissions can still gain them via the UAC Prompt when the app
tries to do modify the system.

--
Stephan
2003 Yamaha R6

§g???«ä?¥X?¤é???????
§g???§Ñ?????????

 

[Kerry Brown]

You are right, nothing stops a rogue program from executing that. However,
there is one difference.

UAC prompts might be legitimate.

gksudo prompts, unless you as a user specifically started it....are not
legitimate. There is not a single piece of software I am aware of in
existance that would legitimately start a gksudo request at some random
point in time. Something would be seriously amiss if a standard app all
of
a sudden presented that prompt.

It is of course still vulnerable to social engineering. Anything
is...nothing can protect the user from willingly destroying their system
after all. =)

I think your assumption is valid in part because Linux users are in general
more knowledgeable than Windows users. If Linux was on the same number of
desktops as Windows and had as many users that didn't want to know anything
about the OS then the same problem might exist. A big part of the problem
with Windows is it's history. For some reason many people resist running
with a least privilege security model. In Linux and other OS' this is the
norm and users expect it. Because of Window's history this is foreign to
most Windows users. How many Windows users if forced to switch to Linux
overnight would logon as root just because it's easier to do admin tasks
that way. I often wonder how many Linux users who started with Windows run
as root. I'm sure there are some. It's ingrained into the Windows culture


In the end it comes down to a flawed security model. Both OS' are trying to
adapt a security system that was designed to keep users data separate to
stop programs from attacking the system. The user account model wasn't
really designed for that. If anything system privileges were limited for
user accounts to prevent accidental damage by users not attacks from
programs. Both gksu and UAC are an attempt to give the user control over
which programs run and under what circumstances. I do agree that gksu is
easier to live with. In my opinion the reason for this has more to do with
the way users use the different OS' rather than some fundamental flaw in
UAC. Too many users will always run Windows with an administrator account.
There is no way to stop them. UAC tries to do an end run around this and
introduce some security.

 

[Stephan Rose]

I think your assumption is valid in part because Linux users are in
general more knowledgeable than Windows users. If Linux was on the same
number of desktops as Windows and had as many users that didn't want to
know anything about the OS then the same problem might exist. A big part
of the problem with Windows is it's history. For some reason many people
resist running with a least privilege security model. In Linux and other
OS' this is the norm and users expect it. Because of Window's history this
is foreign to most Windows users. How many Windows users if forced to
switch to Linux overnight would logon as root just because it's easier to
do admin tasks that way. I often wonder how many Linux users who started
with Windows run as root. I'm sure there are some. It's ingrained into the
Windows culture

Oh yea, I've seen the question "How do I run as root" on more than one
occasion in the Ubuntu newsgroup. Generally answered with "This is how but
do so at your own peril." =)

One thing though that I think UAC might lead to though is malware targetting
apps that are known for UAC prompts that users just blindly click "allow"
on for deployment. I mean, if I was going to write malware for vista,
that's likely how I'd do it...

--
Stephan
2003 Yamaha R6

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯
å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

 

[Ronnie Vernon MVP]

Difference is though that Gksudo only presents itself when the user
actually
runs it. Ie...if I run "gksudo myapp" I will see the prompt as you
describe
it.

If I just run "myapp"...I will never see a prompt no matter what it tries
to
do. Anything it tries to modify that it is not allowed will simply be
denied to it. An app not started under elevated permissions can never gain
elevated permissions.

The line "gksudo is a graphical frontend to sudo included with Ubuntu. It
comes up automatically when an application tries to perform an action
requiring root privileges." is actually a little bit misleading.

The only reason gksudo comes up automatically is because it is part of the
shortcut in the system menu for launching the app.

For example (from a commandline):

gksu synaptic

Starts the gksudo prompt for elevated access, and if I enter the password
correctly...then starts synaptic, the package manager. This is how it is
started via the system menu.

However...if I just run "synaptic"..I am greeted with a dialog from
synaptic
telling me it has no elevated access and can therefore not perform certain
system related functions requiring that access. And that's it. It will
never gain elevated access until I close it and restart it with proper
access.

That to me is where UAC's problem lies. An application not started with
elevated permissions can still gain them via the UAC Prompt when the app
tries to do modify the system.

Stephan

Thanks for this very good description of the way gksudo works, this makes it
much easier to understand the differences.

 

[Jimmy Brush]

UAC on the other hand, if I understand correctly, would now present the user
with its prompt if it wants to allow the action or not despite the app not
having been started with elevated permissions. That is where I see the
problem with it. An app that has not been started with elevated permissions
should never be able to obtain them, not even through a prompt.

An application is either started elevated or non-elevated. Once an
application is started, it cannot switch between the two. (But it can
always run another executable that requests admin access)

UAC does not detect when an application uses admin privs and then
automatically prompt the user.

When an application is released by the developer, the developer
chooses whether his application needs admin privileges, and UAC uses
this to determine whether to show a prompt.

Of course, your point still stands, as the application primarily is in
control of when a prompt occurs, although the granularity of the
elevated/non-elevated seperation is at the process or COM-object
level.

 

[Jimmy Brush]

Hello,

There is a major flaw with this entire approach (in any OS). The issue is
that a lot of malware, trojans, etc. tend to install themselves via
exploits. Exploits by their inherent definition usually defeat the security
mechanisms in place.

No security system is invulnerable to exploits.

You are of course correct about exploits, but I'm not sure I
understand how this affects UAC, and I am very confused as to how you
see UAC as a major flaw.

Pretending for a second that one had a mythical system that could not
be exploited, if there was no UAC-equivalent, and one were logged in
as an admin, what difference would the unexploitability make when
running programs?

UAC assures that even if you are logged in as an admin, a non-admin
tool will not be able to perform admin tasks (unless it performs an
exploit). Isn't that just as important as guarding against exploits?

Why is keeping code that does not require privilege from running with
privilege a bad thing?

That is why I prefer Linux's approach to the problem rather than UAC. UAC
will still let the program do whatever it wants if the user clicks Yes.

Linux on the other hand (save for exploits) the program has *no chance*
whatsoever unless I personally started it with elevated permissions.

They key difference being between acting and reacting.

It's impossible under Linux to accidentally start an app with elevated
permissions! It just simply takes too much "work". It's a decision I have
to make ahead of time.

UAC all it takes is a wrong accidental mouse click on a prompt as all I am
doing is reacting to its prompt.

You seem to imply that in Windows, UAC is just popping up at random
times and is not tied to any event in particular.

This is not true - UAC is exactly like sudo... unless a program is
attempting to exploit sudo/UAC, the prompt (enter password in sudo or
continue/cancel in uac) only appears in response to a user taking
administrative action.

I understand your point here to be that it takes more work to start an
admin program in Linux, and so that makes it more secure.

UAC and SUDO allow users (accidentally or not) to elevate
applications, but prevent *applications* from doing this of their own
accord.

They BOTH do this using the same check-with-the-user model, and they
are BOTH reactionary and subject to user error.

In Windows -> In Linux

1. Double-click admin app -> Run admin app w/ sudo
2. UAC prompt -> sudo prompt
3. Admin App is executed if user confirms

You are arguing on point #1, saying that the user is showing "more
intent" to run the admin application by using sudo ...

But it seems to me the user shows just as much intent by
double-clicking the application in windows, especially since admin
actions are adorned with the UAC shield icon. UAC prompts from actions
that don't have the UAC icon will be suspicious, just as running an
application w/out sudo that prompts for the root password is
suspicious in linux.

Regardless, intent is determined by the security model on #2, not #1
.... this is how the sytem verifies that the user is in fact the one
who is performing the admin action.

Any extra steps in #1 just serves to delay the user from executing the
admin app, it doesn't do anything to prevent privilege elevation by
other applications.

An out-of-the-blue UAC prompt would look just as suspicious in Windows
as would an out-of-the-blue sudo prompt on a Linux box.

They are the same model, just implemented differently

 

[Jimmy Brush]

I'd as much as like you to learn

But without comparing with others, the following statement still stands:


And we all know, a user can get used to clicking Yes rather quickly and
easily, and that's how many got infected in the first place.

You're supposed to click Yes on a UAC prompt when you start an
administrative program.

Just like you're supposed to enter a password when you sudo an
application.

That certainly doesn't mean you will plow thru a UAC prompt or a sudo
prompt when you don't expect one.

If you are running linux, and you run a non-admin program and you get
a sudo prompt, or you just randomly get a prompt asking for your root
password, are you going to type it in?

Similarly, if you run a non-admin application in Windows and get a UAC
prompt, or a UAC prompt just randomly appears, are you just going to
click continue?

UAC prompts (and sudo prompt) are powerful *because* you know when to
expect them, and more importantly, when not to expect them.

 

[Jimmy Brush]

Hello,

You are right, nothing stops a rogue program from executing that. However,
there is one difference.

UAC prompts might be legitimate.

gksudo prompts, unless you as a user specifically started it....are not
legitimate. There is not a single piece of software I am aware of in
existance that would legitimately start a gksudo request at some random
point in time. Something would be seriously amiss if a standard app all of
a sudden presented that prompt.

It is of course still vulnerable to social engineering. Anything
is...nothing can protect the user from willingly destroying their system
after all. =)

A UAC prompt is only legitimate if the user is taking an
administrative action, just like a sudo prompt in linux.

While you have to use a tool to tell Linux when you are running an
admin tool, Windows knows what applications are admin apps and what
aren't, and exposes this info to the user via the UAC shield icon, so
the user doesn't need to guess what things need admin power and what
don't.

A user double-clicking an admin app is doing exactly the same thing as
a user running sudo on an app in linux, and a random UAC prompt or a
UAC prompt from a non-admin app would raise as much of an alarm .

 

[Jimmy Brush]

I would add that the fact that the application controls whether it
prompts isn't a big difference from linux.

A linux developer controls whether their application will prompt or
not by making it fail if it isn't ran with admin power.

 

[Kerry Brown]

One thing though that I think UAC might lead to though is malware
targetting
apps that are known for UAC prompts that users just blindly click "allow"
on for deployment. I mean, if I was going to write malware for vista,
that's likely how I'd do it...

This is a possibility. There is already talk of a possible attack by a drive
by exploit placing a link to malware in the user's Start Menu replacing a
link to a program that requires elevation. The user's Start Menu is writable
without a UAC prompt. The malware could also be stored in the user's profile
without a UAC prompt. The first time the user tries to run the application
they would get an expected UAC prompt, OK it, and the malware would run
gaining system privileges. It requires some social engineering but anything
can be defeated if you can trick the user. This isn't limited to Windows.
You could do the same thing in Linux although it would take a bit more work.
You'd need to use symbolic links then trick the user into running it with
sudo. This is why I say trying to stop malware by limiting user account
privileges is only a stopgap.

 

[Jimmy Brush]

I think your assumption is valid in part because Linux users are in general
more knowledgeable than Windows users. If Linux was on the same number of
desktops as Windows and had as many users that didn't want to know anything
about the OS then the same problem might exist. A big part of the problem
with Windows is it's history. For some reason many people resist running
with a least privilege security model. In Linux and other OS' this is the
norm and users expect it. Because of Window's history this is foreign to
most Windows users. How many Windows users if forced to switch to Linux
overnight would logon as root just because it's easier to do admin tasks
that way. I often wonder how many Linux users who started with Windows run
as root. I'm sure there are some. It's ingrained into the Windows culture


In the end it comes down to a flawed security model. Both OS' are trying to
adapt a security system that was designed to keep users data separate to
stop programs from attacking the system. The user account model wasn't
really designed for that. If anything system privileges were limited for
user accounts to prevent accidental damage by users not attacks from
programs. Both gksu and UAC are an attempt to give the user control over
which programs run and under what circumstances. I do agree that gksu is
easier to live with. In my opinion the reason for this has more to do with
the way users use the different OS' rather than some fundamental flaw in
UAC. Too many users will always run Windows with an administrator account.
There is no way to stop them. UAC tries to do an end run around this and
introduce some security.

Well said, Kerry .

I would like to see the day where user accounts are used as they were
intended, to assign privileges to users, and GUI programs can be run
inside of these accounts in such a way that the OS enforces that the
app can only do what it has told the user it is going to do thru its
GUI, nothing else, and without prompts

 

[Jimmy Brush]

Yes.

I would like to clarify here:

I meant that it is impossible with the Windows architecture (and any
other current GUI OS architecture AFAIK), not that I believe it is
inherently impossible for a GUI OS to be designed to do this.

- JB