Originally posted by Seasanctuary

What programs are these? Most don't do that. As I mentioned above, I've only seen it happen with one: OpenVPN.

It does it for certain downloaded programs. I became so used to just clicking it away, and I don't have the laptop to say which ones (and I disabled UAC right after I was ready to jump out the window and my memory has a shelf life of about two weeks). I believe I have posted specific programs here, but it may just have been a rant in paltalk.

Originally posted by Seasanctuary

So, lock your screen when you walk away.

Oh yeah, that isn't inconvenient to anyone.
So you think it is better for me to have to enter my password one hundred times a day instead.

I don't want to keep entering my password multiple times when I'm still sitting there.

I don't know what it is that you do that requires this, but I haven't had to enter my password while I am sitting there (and how precisely does your computer know this?) in over two weeks. If you are going to constantly making those kinds of changes, then you are going to be bothered no matter what system you are. I had to deal with UAC crap every single time I used that machine.

Complaining about clicking a button when starting a program -- for the odd program requiring this -- is nowhere near as annoying as re-typing my password when I'm already logged on.

It happened constantly to me. And see above. Methinks are you slightly exaggerating how often you have to enter your password.

I know there's an option to make UAC prompts take a password. Is there an option to make OS X prompts not require a password? I've love to make that change.

Whether or not you like this philosophy, but Apple makes certain decisions that are not alterable. Why? They have a reputation to maintain and a bunch of people go around disabling things and all of a sudden people are blabbing about how insecure the system is when it was dumbass users.

That's simply reality. The same reason they have proprietary systems which is why they just work. Vista would likely work much better in such an enviroment as well - though it wouldn't cure its tawdriness.

Originally posted by Seasanctuary

Why is a full user switch the only right way to do things?

Because for the most part unprivileged users remain unprivileged. It's well tested. You have a very small surface area for exploit. sudo just provides one well guarded door, reducing the surface area.

UAC on the other hand doesn't even require a password to operate. It's not a guarded door. Heck, it's not a door in any conceivable way because the user already has the rights to do whatever UAC is stopping, you just have to count on UAC being able to interfere. It's a much messier and more error prone way of doing things.

The 'arbitrary list of special commands' will exist either way. Stuff root can do minus stuff non-root can do = 'arbitrary' list of commands.

Only if you consider file ownership arbitrary, and that would be pretty dumb, imho. Which, it really isn't, because all your files you can modify to your heart's content, but once you modify system level settings, you need to have more privileges.

And remember that in Unix, everything is a file. So, yes, it all comes down to file permissions.

The user-switching way of doing things assumes that a process will inherit the full security rights of whichever user kicks it off. Thus, manipulating which user is considered to have run the program controls its security level. Since there aren't really different users involved that whole scheme could also be seen as an 'ugly hack'. Traditional yes, but it stretches the user metaphor to a different purpose.

Well, first of all, you're wrong. A sudo'd task truly runs as root. (or whatever user you specify otherwise) I just double checked to be sure, and yep, task runs as root.

Secondly, managing the permissions of users is the only sane way to ensure that you don't wind up trusting applications. You give an application the security token of an unprivileged user, you want to know the application can not (not will not) modify something privileged without authentication.

Otherwise, you're giving an application a priviliged security token and hoping that it will revert down if it decides something is too dangerous. Which really doesn't help when a user runs an untrustworthy application. (which, btw, is the whole freaking point)

Seasanctuary,

What are you doing when you get prompted for your password? I think you've been asked that numerous times now and have avoided it at every chance.

The only reason I can think of for you needing to do that outside of making system level changes (and EVERYTIME you sit down? you should learn to deal with it then) is if you messed up your permissions.

Me thinks you're not the big security/Unix expert you claimed to be.

Originally posted by $cirisme

Seasanctuary,

What are you doing when you get prompted for your password? I think you've been asked that numerous times now and have avoided it at every chance.

The only reason I can think of for you needing to do that outside of making system level changes (and EVERYTIME you sit down? you should learn to deal with it then) is if you messed up your permissions.

Me thinks you're not the big security/Unix expert you claimed to be.

That is what I was wondering. I haven't had to put my password in since the last system update I did. And before that it was only when I installed a program that I downloaded from the Internet - which I don't do much anymore keeping true to my vow to stop being such a software tart.

Originally posted by Dee Dee Warren

Oh yeah, that isn't inconvenient to anyone.
So you think it is better for me to have to enter my password one hundred times a day instead.

Ok, I have to agree that for your situation the OS X way is a lot better. As I understand it, you aren't concerned about keeping people off your computer so much as making sure they don't break your computer.

My situation is different. I have confidential company information and a bit of personal stuff too, so locking my screen when I step away and using a password when I return is useful for me. It annoys me to prove I know my password again if an OS X prompt pops up -- which happens mostly when setting up the system and when installing new software that is a bit more invasive than copying a .app to Applications.

I don't know what it is that you do that requires this, but I haven't had to enter my password while I am sitting there (and how precisely does your computer know this?) in over two weeks.

It knows I'm sitting there because I'm logged in. (Also the camera is spying on me, no don't look at it!!)

That is what I was wondering. I haven't had to put my password in since the last system update I did.

Right, system updates. Some other software installs. I just reinstalled the whole thing about three weeks ago so there was the initial unlocking of System Preferences stuff.

It's not something I have to do every day, but then the same is true of my Vista desktop. Once set up and I'm not adding things or digging around in the configuration, neither bugs me.

One thing I am curious about is why unlocking System Preferences screens is a sticky setting. Vista will bug you every time you mess with system setup, but it has to because Windows allows programs to do things like issue mouse clicks. Maybe OS X does not provide that level of I/O events in the first place so there's no risk. It would be hard to tell which is the better architecture since it is a security vs. ability tradeoff.

Another tradeoff is with whitelisting certain programs. I think 'run as administrator' on the Properties tab should include whitelisting. Then any programs like the troublesome one[s] you found could at least be told to shut up henceforth. Reason given for not doing it this way is that malware could leverage whitelisted programs to carry out admin tasks with no user initiation or user warning. Microsoft decided to err on the side of security, for reasons much the same as what you gave here:

Whether or not you like this philosophy, but Apple makes certain decisions that are not alterable. Why? They have a reputation to maintain and a bunch of people go around disabling things and all of a sudden people are blabbing about how insecure the system is when it was dumbass users.

By the way there IS a way to whitelist certain programs. It's just stupidly complicated to point it really isn't an option for most users.

Originally posted by $cirisme

Because for the most part unprivileged users remain unprivileged. It's well tested. You have a very small surface area for exploit. sudo just provides one well guarded door, reducing the surface area.

Sure the unprivileged user account stays unprivileged, but the actual user does not.

Wouldn't it make more sense for there to be a 1:1 relationship between user and user account? Whether or not that user is allowed to invoke privileged operations can then be fully contained in the user account definition, not out in headspace depending on whether that user knows the credentials for another account altogether.

Why don't Unix admins run as root all the time? Answer I usually hear is to keep them from accidentally doing Bad Things without being fully aware of it. 'sudo' effectively becomes a "yes, I really mean it" operation just like UAC, even though it is implemented as a secondary user logon.

UAC on the other hand doesn't even require a password to operate. It's not a guarded door.

You have to be in the Administrators group to use it without a password. Both you and your user account are already authorized to escalate programs on demand. Sounds guarded to me.

Heck, it's not a door in any conceivable way because the user already has the rights to do whatever UAC is stopping, you just have to count on UAC being able to interfere. It's a much messier and more error prone way of doing things.

The real user in a user-account switching scenario already has the rights to do whatever sudo is stopping. It's just the system isn't aware of this mapping.

UAC works by kicking off processes with a non-admin version of the admin user's full access. If more is needed, it checks with the user for consent (anti-malware anti-oops just like sudo). If it gets consent, it adds the admin parts onto the access for that process. I don't see how that is so messy.

Well, first of all, you're wrong. A sudo'd task truly runs as root. (or whatever user you specify otherwise) I just double checked to be sure, and yep, task runs as root.

That's what I thought. Sorry if I came off as stating otherwise.

Otherwise, you're giving an application a priviliged security token and hoping that it will revert down if it decides something is too dangerous. Which really doesn't help when a user runs an untrustworthy application. (which, btw, is the whole freaking point)

I don't see how sudo protects against a user deciding to run an untrustworthy application. 'sudo ./malware' will work just fine.

Me thinks you're not the big security/Unix expert you claimed to be.

I do a lot of work with security professionally, but have not done much with Unix until recently. I find the differences in operating systems interesting and never as simplistic as 'one is good and the other is bad'. Here, I think UAC is given an unfairly bad rap from the very people who should be applauding Microsoft for making a much more serious effort at security than they have in the past.

Originally posted by Seasanctuary

Wouldn't it make more sense for there to be a 1:1 relationship between user and user account?

I'll assume by user you mean "physical person".

Whether or not that user is allowed to invoke privileged operations can then be fully contained in the user account definition, not out in headspace depending on whether that user knows the credentials for another account altogether.

Ok, I'm pretty sure you don't understand how sudo works then. sudo uses your current password to allow you to run commands as a different user. There are no extra credentials to remember.

Why don't Unix admins run as root all the time? Answer I usually hear is to keep them from accidentally doing Bad Things without being fully aware of it. 'sudo' effectively becomes a "yes, I really mean it" operation just like UAC, even though it is implemented as a secondary user logon.

Well, and it provides a way to control access to root privileges in a far more centralized and easy to control way than just giving people the root password.

But beyond that, I think the UAC in Vista is a very poor imitator of sudo. I really wouldn't ever call them "just alike" because whereas (imho) UAC adds only the perception of security, sudo enforces actual security.

You have to be in the Administrators group to use it without a password. Both you and your user account are already authorized to escalate programs on demand. Sounds guarded to me.

Ok, thanks for that clarification. But you're thinking in the Microsoft-centric way which is bad for security, it's not just about the user, but applications as well.

Here's the thing, an effective security model sandboxes things from each other so that a compromise in one area won't compromise everything. If Sally and Henry each use a computer, and Henry downloads spyware, (or viruses, or some other badware) you don't want it affecting Sally if you can help it.

Microsoft has always been terrible about making Windows so flexible out of the box that it effectively has no sandboxes. In XP, Sally and Henry are almost certainly both admins, and Sally is affected by Henry's spyware.

In OS X (or any Unix, really), Sally and Henry might be sudo'ers. The spyware will affect Henry, but when it tries to affect Sally, it needs to sudo and have Henry enter his password. There's no way for the application to affect the system without user intervention. (and if Henry provides that intervention, there's no technical security in the world that will help you. But it's the OS'es job to make every effort up to that point)

But what if you have just an ok box? What stops badware from just providing the confirmation?

Well, Vista tries to by basically grinding the whole os to a stop and forcing you to make a yes or no decision right there. Does it work? Maybe/maybe not. It certainly provides a huge surface vector from which to attack, not to mention the pure annoyance of that method. You can say you prefer Vista's method, but it's definitely less guarded.

But if you really absolutely must do it without a password, I believe you can configure /etc/sudoers to not require a password. I'll be honest to say that I haven't tried it, and I don't know if the OS X gui would follow along, and that I would advise against it in the strongest possible terms, but you can give it a whirl if you must.

The real user in a user-account switching scenario already has the rights to do whatever sudo is stopping. It's just the system isn't aware of this mapping.

See, this is why you need to do a little more research. sudo doesn't stop anything. sudo provides a door for you to open to get wherever you're going. (after proving to the guard you should be allowed to)

Windows is counting on UAC to slam the door shut on you if it thinks you shouldn't do something.

What's the security difference? Well imagine if both of them fail. If sudo fails, that's inconvenient for you, but your system is perfectly secure.

If UAC fails, all the doors stay open and everything runs amok.

Part of the criticism for Microsoft's hacks (and that's what UAC is), is that they don't really work through all the consequences. If sudo fails, you really don't have to worry about it, and fixing it is on your own time table. If UAC fails, that could be a big security issue.

I don't see how sudo protects against a user deciding to run an untrustworthy application. 'sudo ./malware' will work just fine.

see above.

I do a lot of work with security professionally, but have not done much with Unix until recently. I find the differences in operating systems interesting and never as simplistic as 'one is good and the other is bad'.

I agree. I see one as working consistently, well, and securely.

I see the other as totally worthless and useless marketing hype.

Here, I think UAC is given an unfairly bad rap from the very people who should be applauding Microsoft for making a much more serious effort at security than they have in the past.

Actually, I would deride Microsoft even harder for hoisting this petard on us and pretending it's good security. It really doesn't do much in the way of helping us get away from Windows users running as admins.

IOW, we wanted to see real security progress and Microsoft gave us a load of bull. Of course people are going to deride Microsoft for that, and of course Microsoft is going to deserve every bit of it.

Gold.

Originally posted by Seasanctuary

Ok, I have to agree that for your situation the OS X way is a lot better. As I understand it, you aren't concerned about keeping people off your computer so much as making sure they don't break your computer.

Partly correct, partly not. OSX does not prompt you often and only for things that you should be pretty happy it is just not letting happen.

My situation is different. I have confidential company information and a bit of personal stuff too, so locking my screen when I step away and using a password when I return is useful for me. It annoys me to prove I know my password again if an OS X prompt pops up -- which happens mostly when setting up the system and when installing new software that is a bit more invasive than copying a .app to Applications.

You are talking apples and sucky oranges here. You are locking your screen to keep people from reading your data. That has no place in this conversation. And sometimes you don't have the luxury to do that, or you forget, or any number of scenarios. And the prompts that happen as you describe is good security. And good security inherently has a bit of annoyance factor. I just can't believe you in any amount of seriousness compare it to UAC.

It knows I'm sitting there because I'm logged in.

That doesn't mean it is you sitting there. It means you were sitting there at one time.

Right, system updates. Some other software installs. I just reinstalled the whole thing about three weeks ago so there was the initial unlocking of System Preferences stuff.

Sounds like reasonable security practices to me.

It's not something I have to do every day, but then the same is true of my Vista desktop. Once set up and I'm not adding things or digging around in the configuration, neither bugs me.

As I said, you are lucky if you have not had those issues with Vista. But all the people who have aren't making it up. And as one who had, I can assure you to high heaven that it is NOTHING like OSX which is a good minimum and utterly predictable.

Originally posted by Dee Dee Warren

I do not think so, not that I noticed. And I no longer have that laptop so I can't check for you right now. You can disable UAC entirely, which is not advisable.
.

SOME programs ask you when you install them, and then most will never ask again when you run them. UNLESS you are running the program as "administrator", in that case it asks you every time. most programs dont need to run as administrator. I only have a few that I have had to set to always run as administrator.

I dont think there is a way to turn that off without disabling UAC altogether.

I think Vista is Ok, and not nearly the nightmare that some folks paint it. UAC is easy to turn off and was the very first thing I did when I received my free copy of Vista days before it was released to the public (I received my copy for doing some online testing). Vista felt fast when I first loaded it, but feels a bit clunky now, especially compared to my dual boot of Ubuntu. Games look great on it, so that's certainly a plus, but most Vista naysayers are non-gamers, so I suppose that doesn't matter much. The one thing I hate about Microsoft altogether is all the junk it leaves on your system when you remove programs. I don't seem to have that issue in Ubuntu. I also hate having to pay for certain types of programs that I can find for free in Linux. I do love having a fairly intuitive GUI in Windows, and though Ubuntu doesn't rely on the Terminal as much as it used to (unless you want to), there are still some issues that takes me hours to resolve using the terminal (especially anything to do with monitor resolution issues and video cards in general).

I have a feeling that Vista is sort of the modern equivalent of ME, and Microsoft is looking to replace is by 2010 anyways.

Originally posted by Adrift

I think Vista is Ok, and not nearly the nightmare that some folks paint it. UAC is easy to turn off and was the very first thing I did when I received my free copy of Vista days before it was released to the public (I received my copy for doing some online testing). Vista felt fast when I first loaded it, but feels a bit clunky now, especially compared to my dual boot of Ubuntu. Games look great on it, so that's certainly a plus, but most Vista naysayers are non-gamers, so I suppose that doesn't matter much. The one thing I hate about Microsoft altogether is all the junk it leaves on your system when you remove programs. I don't seem to have that issue in Ubuntu. I also hate having to pay for certain types of programs that I can find for free in Linux. I do love having a fairly intuitive GUI in Windows, and though Ubuntu doesn't rely on the Terminal as much as it used to (unless you want to), there are still some issues that takes me hours to resolve using the terminal (especially anything to do with monitor resolution issues and video cards in general).

I have a feeling that Vista is sort of the modern equivalent of ME, and Microsoft is looking to replace is by 2010 anyways.

one of the rumors about Windows 7 (Vienna) is that might support hypervisors, which I understand is somehow using full application virtualization, so that each program thinks it has the whole machine, but is really running in its own little world (I think sea has a thread about that in regards to the POE somewhere )

this should keep programs from corrupting the system and make thing a lot more robust and secure.

Originally posted by Sparko

one of the rumors about Windows 7 (Vienna) is that might support hypervisors, which I understand is somehow using full application virtualization, so that each program thinks it has the whole machine, but is really running in its own little world (I think sea has a thread about that in regards to the POE somewhere )

this should keep programs from corrupting the system and make thing a lot more robust and secure.

that's not what hypervisors do. Hypervisors virtualize whole os'es, not applications.

Originally posted by $cirisme

that's not what hypervisors do. Hypervisors virtualize whole os'es, not applications.

well then it might do both somehow. I read articles mentioning hypervisors, and some other article mentioning the application virtualization in Vienna. I put the two together, apparently erroneously.


but so far its just a bunch of rumors. MS will find some way to screw it all up. You will probably need a 6Ghz 8-core processor with 4GB of RAM just to copy a file.

We've heard similar promises for Vista before. And XP before that. And NT before even that.

I'll believe what Microsoft says about their next version of Windows when it's shipping and we have a couple credible witnesses to back it up. Till then, you really can't count on anything for the next os.