OSNews

I agree and I thought Unix style permissions were the way to go. Why reinvent the wheel when there is proven technology already out there?

While I'm a Unix nerd, regular Unix style permission aren't as robust as NTFS permissions. When you implement ACL's or similar then you get on par, but unix stlye permission can't hang.

Well NTFSv5/6 permissions have many more options and managed by an ACL (a list with specific granting and denial info for certain users/groups) for each file and directory.

But I wouldn't say Unix-style permissions are less secure; they are just less flexible by themselves.

While I'm a Unix nerd, regular Unix style permission aren't as robust as NTFS permissions. When you implement ACL's or similar then you get on par, but unix stlye permission can't hang.

The only things I miss from "regular Unix style permission[s]" are (a) a separate delete flag on files and (b) the ability to restrict permissions to specific user(s) other than the owner. And POSIX ACL's do the latter. I'm not quite familiar with them, however, so it's even possible they do the former.

...but I'd also like to separate rights for 'read' and 'copy' actions, since e.g. there might be circumstances where one would like to make files available to users with read only rights and no right to copy the files ...

I'm specifically referring to copyrighted fonts made available to users at the design school I work for. We have no way to ensure that every single student does not 'steal' our $20.000 worth of fonts by simply copying them to their own computers...

my question is, why the extra "delete" option?

if its to allow people to alter a file without wiping it out, then remember that they can still overwrite all the content of the file.

and *nix have a interesting way to avoid accidental deletion. just have the file have a hardlink in some other part of the file system. only when all hardlinks are deleted is the actual inode area on the disk opened for rewrite.

hardlinks can also be used to give pr user rights. as in, each user is the owner of their own hardlink

ACLs are also far more complicated to deal with than regular permissions... In many cases the standard unix permissions are sufficient, and consequently easier to manage. This way, you have far less work to do since you only set ACLs when necessary.

bingo!

for home use, ACL is overkill to the nth degree.

but for office use and similar, the extra control one gets may be just what the doctor ordered.

the right tools for the right job and all that

You can implement ACLs in Linux and many other flavors of UNIX by way of Posix complient ACLs. This form of ACLs are based on the IEEE's POSIX 1003.1e draft 17, also known simply as POSIX.1e. This allows one to easily implement ACLs in addition to the standard Unix file permissions. Posix ACLs give *NIX users and administrators the same flexibility and fine-grained control over who can read, write, and execute files as those running Windows NT based OSs.

Commercial Unix operating systems (except SCO) have all had ACL functionality for quite awhile. FreeBSD supports POSIX.1e ACLs as well. Linux 2.6.x series kernels have supported ACLs for EXT2, EXT3, XFS, JFS, and ReiserFS as well as other esoteric filesystems for years. *NIX's implementation of ACLs can be manipulated easily in both KDE and Gnome using GUI tools, just like within Windows.

Unix-style permissions are limited and not particularly secure. They're more an accident of how Unix was initially implemented than anything else. ACLs are the way of the present and MAC/RBAC (and I hope Capabilities) is what will be implemented in the future (or in high-security installations today).

One of the design goals of NT was to pass the B2 Common Criteria certification for the US DoD. Under those criteria, Unix permissions just don't cut it. That's why all *nixes are adding ACLs and other mechanisms.

B2 is a classification for Trusted Computing under the long defunct Trusted Computer Security Evaluation Criteria (TCSEC), which was cancelled March 1999:

http://www.alw.nih.gov/Security/FIRST/papers/criteria/tcsec.txt

Under Common Criteria a trusted system would be evaluated at an Evaluated Assurance Level (EAL) of 4+ or better.

The original design goal of Windows NT was to evaluated at TCSEC C2, which is the minimum for processing Top Secret information. This link should be helpful in describing the TCSEC security ratings:

http://www.windowsecurity.com/whitepaper/Windows_NT_Security_Part_1...

B2 level security calls for Labeled Security and would be evaluated today using the Labeled Security Protection Profile (LSPP). There is no version of Windows that I am aware of that supports Labeled Security.

Edited 2007-04-28 02:15

Sorry... I should have checked the specifics before posting. My fault. The point I was trying to make was that ACLs and Auditing were specifically required for the (now defunct) security tests that MSFT wanted NT to pass.

Standard UNIX / Linux access control (i.e. rwx bits) are limited and archaic. The better way, more aligned with the flexibility of NTFS permissions would be RBAC (Role Based Access Control).

I'm confused [actually, not, but whatever]. ACL is not something you can't see or can't hear about in Linux land, but many just behave like it wouldn't exist, maybe it's easier to dismiss. I don't give a rat's behind, but as I know extx,xfs,jfs,reiser support acl without patches in the 2.6.x branch (feel feel to correct me, with facts not with wishes), even samba IIRC, I think there is still work to be done on nfs, but still, talking about it as it wouldn't even exist bothers me.

I also was confused. getfacl and friends are available for years.....

http://www.suse.de/~agruen/acl/linux-acls/online/

Have another read of what I said. Here's a quote for you:

I never said alternatives don't exist, I referred specifically to the the rwx bits of files and directories. I'm not sure why you're confused.

isnt fedora attempting to ship with SElinux as a option?

from what i understand, SElinux is basically role based.

you may su to root, but given that your starting role was a user, the root account is limited by said role.

isnt fedora attempting to ship with SElinux as a option?

Fedora has been shipping SELinux as an installation option for quite a while now, at least the last few releases.

Yeah, why innovate at all? Its all just re-inventing the wheel at this point. Why not completely mimic the windows ui on every operating system. Re-doing a new design is just re-inventing the wheel, right? Why code Linux? Its just a clone of Unix.. Isn't THAT just re-inventing the wheel? The truth of the matter is, its a matter of preference. Believe it or not, some people like the way windows does it.

I would just prefer a more secure kernel and OS, not something that asks me if I am sure that I would like to change the theme 1000 times.

It's not that the kernel and core OS components are insecure so much as it's the applications demanding access to system-wide resources. I'm sure that Windows has many system resources that should be per-user, but changing these would break the applications. The applications were written on the premise that the user has full reign over the system, which is no longer the case. The crap that used to pass for an application doesn't cut it anymore, and that's why we (or more accurately you [all], since I don't use Vista) have UAC.

Other operating systems provide the same mechanisms provided by UAC, but they're much less annoying because the applications for those platforms understand that the user has limited rights. Most Linux distributions have a one-command or one-click software update facility that only requires root authentication once, not once (or more) for every package. Changing desktop or application settings is not a privileged operation. If Vista worked like this, then UAC wouldn't be universally hated at all.

People liken UAC to a "boy who cried wolf" situation. But these prompts aren't false alarms, they are actually wolves in sheep's clothing. The applications shouldn't be doing this stuff, but the user has to let them have their way or else they won't work properly.

well, it might not be that UAC is that bad, but currently, ppl wo want to install firefox from their website get 3 (!!!) messages of 'are you sure' before they even enter the installer (to answer even more questions).

First 'this is downloaded, are you sure you want to run it' then a 'this is an unknown app, sure you want to run it' then UAC, then the installer. Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux. Start Adept/Synaptic/whatever, give pw, tick 10 boxes, click 'execute', and it's done. Windows would need to ask 30 times 'are you sure' and a lot of other 'next' style wizards asking if you want another icon on your desktop or where you want to install the application.

Yeah, software management only got harder with UAC while it doesn't solve anything (OF COURSE you just hit enter, it's way overdone!)

UAC has been overplayed by the "MS SUXXORZ" crowd as expected. The idea that it pops up every seven seconds is stupid at best, and the usual FUD at worst. Once you're done installing and configuring crap, you should not see it. Let me repeat that: I haven't seen a UAC prompt since I "stabilized" my two Vista boxes almost two months ago. If I expect to see it, I expect I'll see it about as often as I do on Ubuntu.

But of course, it's always more fun to blabber on about how a Microsoft product is doing "funny" things. Yes, "universally hated" and the basic misunderstanding (probably on purpose) of the fact that UAC compensates for software written for the admin-all-the-time model of previous versions of Windows.

Carry on. Those of us who actuall use Vista know that you are full of shit.

I have vista here, and it's shit. Not that guy, Vista.

Currently, ppl wo want to install firefox from their website get 3 (!!!) messages of 'are you sure' before they even enter the installer (to answer even more questions).

First 'this is downloaded, are you sure you want to run it' then a 'this is an unknown app, sure you want to run it' then UAC, then the installer. Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux. Start Adept/Synaptic/whatever, give pw, tick 10 boxes, click 'execute', and it's done. Windows would need to ask 30 times 'are you sure' and a lot of other 'next' style wizards asking if you want another icon on your desktop or where you want to install the application.

Yeah, software management only got harder with UAC while it doesn't solve anything (OF COURSE you just hit enter, it's way overdone!)

1) You don't get asked a 1000 times.
2) That dialog that you get is not asking you if you are sure you want to run it, it is elevating your privelages so you can run it.
3) No matter what OS or kernel you are using, a user running as admin has full rights to the system (except in Vista, actually, only the administrator account has full access, and that is disabled by default).

Yes, you get asked stuff a million times. Way too much. Not just UAC, everything. Try to install an application:

First 'this is downloaded, are you sure you want to run it' then a 'this is an unknown app, sure you want to run it' then UAC, then the installer. Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux. Start Adept/Synaptic/whatever, give pw, tick 10 boxes, click 'execute', and it's done. Windows would need to ask 30 times 'are you sure' and a lot of other 'next' style wizards asking if you want another icon on your desktop or where you want to install the application.

Sorry, but I can install 10 applications with only ONE dialog asking me for the rootpasword in linux.

Sounds like a security issue to me.

How? You run the app as root, so everything in the app is as safe as an process in Vista which runs under UAC. The only difference is that in Linux, you have a centralized and easy way to manage software, Vista lacks such a technology. That's why you need a lot more work in Vista to install apps.

There are many advantages of a centralized repository of software - it's easier, the software is checked by the distributor (would be like MS would have checked each and every piece of software you download) and you have a centralized and effective way of managing updates. Thus you have a much lower chance of installing spyware and adware or otherwise infected sofware. The linux update software doesn't just work for a certain small amount of software (eg only Vista itself) but also for all other installed software like webbrowsers, music software, video players, foto management - all of it recieves updates through the same mechanism.

And you call yourself a 'professional'? anyone who has half a brain will tell you that the reason for Administration by default with Windows XP and below is for compatibility reasons relating to how things are written to the hard disk and how some poorly written applications interact with the system itself.

Oh, and btw, when you run Windows Vista, you're not running in Administrator mode, hence the reason for UAC - it teporarily elevates privilages for that given application, its no different than the use of sudo/gksu in the *NIX world.



Ah, the professor. If I had 10 cents for every professor I met who never stepped foot into a company, I would be a millionaire by now. Just because a professor says something, doesn't make it gospel or some new revelation.

Microsoft *KNOW* about security, the problem is that third parties would rather refuse to update their software and write their programmes properly to take into account restricted access when running.

Microsoft only provides it for backwards compatibility - I swear there is a legion of pea brain people like you out there claiming that Microsoft makes these decisions for shits and giggles.

Microsoft is a multibillion dollar organisation with some of the smartest people in the industry, you really think they go out of their way to deliberately bone head and stupid things? ever thought there was more it than just what appears on the surface?

Edited 2007-04-28 02:49

Microsoft can be a multi billion dollars company and be beaten by the monster they created!
Microsoft own product have a hard time playing nice with UAC. Why is it recommended to run Visual Studio 2005 as administrator every time you launch it? Never seen that on any development tools on any other OS! Why did it take 5 month for providing compatibilty on something like SQL 2005 or Visual Studio 2005?
Also you go to control panel, run network setting just to check (read only). Oops, "Please confirm..."... What's the point for a read only operation? The truth is that Microsoft did not take time to carefully check every windows component so that the user is not prompted abusively.

Where did Microsoft guarantee that Visual studio 2005 would work on Windows Vista flawlessly? Microsoft never said so. Visual Studio 2005 was provided for programmers to get their applications up and ready to run on Windows Vista whilst still in a Windows XP environment.

The next version of Visual Studio will be 100% compatible with Windows Vista, and might possibly be a free upgrade for those who are running Visual Studio 2005 - then again, most people who programme for Microsoft Windows will have a MSDN subscription which means they'll automatically get it.

UAC and sudo are not at all the same. They work in quite different ways. Sudo grants the user temporary extended rights (depending on the configuration of sudo - visudo) while UAC prompts _everytime_ the user goes out of his/her normal domain. Two very different approaches and behaviour. UAC is no more like sudo than bananas are like strawberries.

Actually, sudo does the same thing.

You start something using sudo, everything that spawns from that (be it a browser, a temrinal window, whatever) will have the same elevated rights as the original.
UAC does the same thing.

Eeh.. no. That's not how sudo works. Sudo grants the user some extra rights (depending on configuration) and a typically a "ticket" for 5 minutes (where anything can be done without having to enter password again). Of course anything spawned by sudo'ed process will have the same rights. That's obvious.

The big difference is that UAC is less customizable, are not ticket-based (a mistake), does not require the user's password (big mistake). And UAC grants the rights to the process rather than the user, leading to the click-endlessly hell. UAC != sudo. sudo however grants the user and not to the process. Big difference. UAC and sudo have something in common, but they are not closely related.

Oh, and btw, when you run Windows Vista, you're not running in Administrator mode, hence the reason for UAC - it teporarily elevates privilages for that given application, its no different than the use of sudo/gksu in the *NIX world.


Have you ever used sudo/gksu? They require you to enter your password unless expressly configured to do so which is insecure. Does UAC ask you for a password? Not that I can tell.

"Microsoft only provides it for backwards compatibility - I swear there is a legion of pea brain people like you out there claiming that Microsoft makes these decisions for shits and giggles."

Remember that one time when Apple made a transition to a new platform and the developers came with them?
(Hint: they did it 3 times in just over a decade: 68k -> PowerPC, Mac OS 9 -> Mac OS X, PowerPC -> x86).

I'm not trying to spark a Mac v PC argument, I'm just suggesting that Microsoft's strategy and your argument in favor of it are fundamentally flawed. Microsoft has way more clout with developers than Apple, it is there decision to continue to base things off the same/a similar kernel. If they wanted to they could completely rewrite the OS in about a 3 year period, provide an emulation layer in the initial release of said OS for it's first release, and drop support at the second release. They would lose very few customers in the process, and a ninety some percent market share is unsustainable anyway. So they might as well give up a few customers now and have a solid base instead of waiting for legions to find something better.

so true. Windows is a couple decades behind in that they finally implemented running in user mode vs. admin.

On the network I control, 99.99% of the client workstations have users running at nothing more than Domain User and Local User on the machines. They can't install anything unless it's something I've defined in the GPO. The other 0.01% is my workstation.

I think there are a lot of Windows "administrators" that need to take a share of the blame.

thats a office network i guess. UAC and its like is a creation for the home computer, where win9x was king, and everyone had admin rights.

However, just because MAC is supported doesn't mean its used by default. Very few Linux OSes have support for MAC (let alone any other security measures) out of the box by default. This is why hardened distributions are a unique breed.

This is why I think fedora is so great (even though I don't use it) because it supports MAC out of the box along with SSP and other security protections.

Very few Linux OSes have support for MAC (let alone any other security measures) out of the box by default.

SELinux is part of every linux kernel today although it's not enabled by default.

This is why hardened distributions are a unique breed.


They are a rare breed because the functionality is disproportional to the gained security.In other words,the more secure a system becomes the less functional it often is.

Edited 2007-04-28 06:25

and hey, don't forget apparmor.....
(easier to set up compared to selinux btw)

"and hey, don't forget apparmor.....
(easier to set up compared to selinux btw)

GRSecurity and RSBAC should also be mentioned then.

That's a security hole. Installers will get updated, so that hole won't be necessary.

yeah, especially since it does not work properly in the first place...

http://blogs.zdnet.com/security/?p=175

"This is my advice to Microsoft: Swallow your pride and copy Unix security standards from 1971 then use that as a foundation for any other advanced features."

If all it took was "swallowing pride", they'd have done this already. They had their own unix implementation, after all, so it wouldn't even be an issue of "swallowing pride".

*nix nerds like to think that *nix is the be-all and end-all of security, and indeed OS architecture in general. Those that think that are unaware of unix's history. It had a pretty shoddy security record during the 70's and first half 80's. The first worms were Unix worms. It wasn't regarded as the state-of-the-art in security, but just barely adequate. It improved through trial-and-error and trial-by-fire, just as Microsoft's systems have been doing since 1995.

Microsoft shouldn't adopt unix's system, as NT's security system is already superior. The problem the Microsoft had to deal with is that DOS, Win3.x, and Win9x were single-user systems with no concept of accounts with different privileges, and programs written for those systems were designed to operate under that assumption. In order to provide a smooth transition from those systems to the NT-based systems, Microsoft made the default NT accounts admin, so that the Win9x programs would run with no problems. Maybe this was a poor decision, but it is orthogonal to whether they should've adopted Unix permissions over NT's ACLs.

With Vista, the default accounts are not "admin", per se (they are "admin" but run with limited permissions, unless OK'ed by UAC). So there's no need to copy Unix let alone "swallow pride".

Edited 2007-04-28 03:52

Microsoft shouldn't adopt unix's system, as NT's security system is already superior

that line made me laugh some hard, I spilled my coffee. Thanks a lot Mollyc, I now have a nasty scald in a private place

And why was that? How come they did build an OS in 1995 and 1998 and 2001 still which didn't take ANY security into account, while in the FOSS and Unix world, security has been a problem since what, 1970? They are to blame, simple as that.

"This is my advice to Microsoft: Swallow your pride and copy Unix security standards from 1971 then use that as a foundation for any other advanced features. "

How about the copy some Unix standards from 2001 and not 1971? Besides, Unix is far from perfect, it just has a more knowledgeable and savvy user base who practice defensive computer using techniques.

And that's the real problem. Most groups that keep rolling back to Microsoft products would rather move to the newest now and patch the problems later. IT should always be conservative with their data security. Yet the ones revolving around Windows tend to take the opposite approach. I cannot imagine the ramifications if stockholders actually knew what went on in the corporate world when it comes to their company's internal network's integrity and security.

it just has a more knowledgeable and savvy user base who practice defensive computer using techniques

You mean users like my mother ?
People who have no concept about computer malware, never mind security ?

I installed Xubuntu 6.06 on her machine in September last year. She uses like a normal user would, she clicks on everything, opens all attachements etc. No problems.

Malware is not always the fault of the user. If it was, her machine would be swamped.

He doesn't have a clue. If it wasn't for Linux/Unix's many possibilities to lock the system down while remaining highly usable my family, relatives and friends would still be fighting regular Windows problems.

Now I just install everything they need and mount as many partitions as possible with "noexec,nosuid" and after reading this thread I will add "acl" in the future.

"/tmp" and "/var/tmp" are also on a tmpfs. Further locking down on Slackware is achieved in a BSD way by configuring "/etc/suauth" to only allow su to those who are in the "wheel" group so a user who or process that doesn't need them to can be prevented from ever gaining root priviledges.

There you have it a virtually unbreakable, uncrashable operating system on which the user can do anything he/she wants, even try to break it.

And they will not be prompted with useless UAC type popups. They can just be normal unknowing users just like Microsoft wants Windows to be to its users (but isn't in practice).

And this is even without such things as SELinux, Grsecurity, RSBAC or Apparmor which will harden the system even more against remote, local and user exploits. And Solaris Trusted Extensions supposedly goes even further.

It tell my friends and relatives to try to break and crash it but so far none have managed to do so :-) The approach to security should really be to do all that you can to secure the system by default but being aware that it could always be improved.

When they come back to me after one or two years the only thing I do is install (actually untar a preconfigured image of) the newest version and then they can go happily compute again.

Microsoft knows Windows is insecure by default and instead of fixing all problems once and for all they invent kludges like UAC. They probably don't have anything left to give the impression of improved security.

As butters said earlier in the thread it is maybe not so much the insecurity of the NT kernel system but more the total lack of authentication in the Win32 layer in which any user window can pass a message to another window regardless of priviledge levels.

There might be a reason for UAC-like authentication, that resembles Solaris Trusted Extensions but that's exactly the difference. In Solaris it's optional for ultra-secure environments, in Windows Vista it's been annoyingly enabled by default for everyone.

Life is so easy with Linux and Unix compared to Windows, they don't compare at all :-)