Linked by Thom Holwerda on Mon 22nd Jun 2009 22:31 UTC
Windows Here at OSNews I have hammered and hammered on a few times already about the major flaw in Windows 7's default User Account Control, which allows people or software with malicious intent to completely bypass UAC in such an easy manner that you wonder why UAC is there in the first place. Well, the source code to this flaw has been released - since Microsoft has made it clear they have no interest in fixing it anyway - and Long Zheng, fellow advocate of fixing this bug, made a very clear demonstration video.
Thread beginning with comment 369854
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

Actually, Ubuntu is a rootless distribution.

Not really, you can easily change the root password:
sudo passwd
From that moment root uses a different password as the user password.

My opinion is plain simple: not even one application should be able to obtain admin rights automatically. All programs should ask the user for the password if they need admin rights.

Reply Parent Score: 1

ba1l Member since:

I always felt that PolicyKit was a better approach. You can define an access policy for each task you might want to perform (mounting removable media, changing the network configuration, connecting to wireless networks, changing the timezone...). The access policy can allow the request with no authentication, require sudo or su style authentication, or deny access, based on conditions (is the user logged in locally, is the user a member of a group, and so on).

The key part is that programs never run as root (or equivalent). They just ask another process to do something for them, and the OS provides a mechanism to configure who is allowed to do what.

Using something like this, most of the mundane elevation prompts that occur often could be removed entirely. That just leaves elevation prompts for unusual activities, such as installing software, which should keep the elevation prompts.

Reply Parent Score: 3

boldingd Member since:

"Sudo passwd" will change root's password (giving root a password, which will let you actually log in as root at a console): however, you will still have to enter your password to do that, just like with any invocation of sudo. Also, sudo will still want your password, not the one you gave root. Finally, while it may not really matter, even if you give root a password, GDM won't let you log into an X session as root, unless you do more work.

Again: as configured by default, on any sane system, Sudo is very different from UAC, and not vulnerable to this bug (as it won't perform auto-elevation).
Actually, as a note, the default user on Ubuntu is not root, and is not in the root or wheel group (I think). He's a normal user, who's been allowed to Sudo.

Edited 2009-06-23 17:20 UTC

Reply Parent Score: 2

sakeniwefu Member since:

In Ubuntu default user is not a member of wheel but it is member of admin. Group names don't matter the least when you allow members to do "ALL=(ALL) ALL" in sudoers.

While sudo is better than UAC, it is not good by any stretch.

For example, it doesn't allow to limit rights to the needed subset of root. This means applications have to explicitly drop privileges by themselves when they are done. And they better do it quickly.

This might not seem like a big deal, but holes in applications that fail to drop privileges(however trivial they are) are as good a target for escalation as the biggest hole in the OS itself.

Another inherent flaw is the default timeout window mentioned above. Applications and scripts are allowed to try and fail to gain privileges by themselves with no user interaction whatsoever(printf "\n" | sudo -S evil_command). This means they can try and try again until they get in.

Reply Parent Score: 2