Comparison of privilege authorization features explained

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT (and its descendants), CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Introduction to implementations

Microsoft Windows
User Account Control prompt dialog boxUser Account Control (UAC):
Included with Windows Vista and later Microsoft Windows operating systems, UAC prompts the user for authorization when an application tries to perform an administrator task.[1]
Runas


A command-line tool and context-menu verb introduced with Windows 2000 that allows running a program, control panel applet, or a MMC snap-in as a different user.[2] Runas makes use of the "Secondary Login" Windows service, also introduced with Windows 2000.[3] This service provides the capability to allow applications running as a separate user to interact with the logged-in user's desktop. This is necessary to support drag-and-drop, clipboard sharing, and other interactive login features.

macOS
macOS includes the Authenticate dialog, which prompts the user to input their password in order to perform administrator tasks. This is essentially a graphical front-end of [[sudo]] command.
Unix and Unix-like

Security considerations

Falsified/intercepted user input

A major security consideration is the ability of malicious applications to simulate keystrokes or mouse clicks, thus tricking or spoofing the security feature into granting malicious applications higher privileges.

If either gksudo's "lock" feature or UAC's Secure Desktop were compromised or disabled, malicious applications could gain administrator privileges by using keystroke logging to record the administrator's password; or, in the case of UAC if running as an administrator, spoofing a mouse click on the "Allow" button. For this reason, voice recognition is also prohibited from interacting with the dialog. Note that since gksu password prompt runs without special privileges, malicious applications can still do keystroke logging using e.g. the strace tool.[14] (ptrace was restricted in later kernel versions)[15]

Fake authentication dialogs

Another security consideration is the ability of malicious software to spoof dialogs that look like legitimate security confirmation requests. If the user were to input credentials into a fake dialog, thinking the dialog was legitimate, the malicious software would then know the user's password. If the Secure Desktop or similar feature were disabled, the malicious software could use that password to gain higher privileges.

Usability considerations

Another consideration that has gone into these implementations is usability.

Separate administrator account

Simplicity of dialog

Saving credentials

sudo's approach is a trade-off between security and usability. On one hand, a user only has to enter their password once to perform a series of administrator tasks, rather than having to enter their password for each task. But at the same time, the surface area for attack is larger because all programs that run in that tty (for sudo) or all programs not running in a terminal (for gksudo and kdesu) prefixed by either of those commands before the timeout receive administrator privileges. Security-conscious users may remove the temporary administrator privileges upon completing the tasks requiring them by using the sudo -k command when from each tty or pts in which sudo was used (in the case of pts's, closing the terminal emulator is not sufficient). The equivalent command for kdesu is kdesu -s. There is no gksudo option to do the same; however, running sudo -k not within a terminal instance (e.g. through the Alt + F2 "Run Application" dialogue box, unticking "Run in terminal") will have the desired effect.

The application only requires authentication once, and is requested at the time the application needs the privilege. Once "elevated", the application does not need to authenticate again until the application has been Quit and relaunched.

However, there are varying levels of authentication, known as Rights. The right that is requested can be shown by expanding the triangle next to "details", underneath the password. Normally, applications use system.privilege.admin, but another may be used, such as a lower right for security, or a higher right if higher access is needed. If the right the application has is not suitable for a task, the application may need to authenticate again to increase the privilege level.

Identifying when administrative rights are needed

In order for an operating system to know when to prompt the user for authorization, an application or action needs to identify itself as requiring elevated privileges. While it is technically possible for the user to be prompted at the exact moment that an operation requiring such privileges is executed, it is often not ideal to ask for privileges partway through completing a task. If the user were unable to provide proper credentials, the work done before requiring administrator privileges would have to be undone because the task could not be seen through to the end.

In the case of user interfaces such as the Control Panel in Microsoft Windows, and the Preferences panels in Mac OS X, the exact privilege requirements are hard-coded into the system so that the user is presented with an authorization dialog at an appropriate time (for example, before displaying information that only administrators should see). Different operating systems offer distinct methods for applications to identify their security requirements:

pete ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

Manifest files can also be compiled into the application executable itself as an embedded resource. Heuristic scanning is also used, primarily for backwards compatibility. One example of this is looking at the executable's file name; if it contains the word "Setup", it is assumed that the executable is an installer, and a UAC prompt is displayed before the application starts.[20]

UAC also makes a distinction between elevation requests from a signed executable and an unsigned executable; and if the former, whether or not the publisher is 'Windows Vista'. The color, icon, and wording of the prompts are different in each case: for example, attempting to convey a greater sense of warning if the executable is unsigned than if not.[21]

See also

Notes and References

  1. Web site: User Account Control Overview. Microsoft. 2006-10-02. 2007-03-12. https://web.archive.org/web/20110822203611/http://technet.microsoft.com/en-us/windows/aa906021.aspx. 2011-08-22. dead.
  2. Web site: Runas. Windows XP Product Documentation. Microsoft. 2007-03-13.
  3. Web site: "RunAs" basic (and intermediate) topics. Aaron Margosis' WebLog. MSDN Blogs. 2004-06-23. 2007-03-13.
  4. Web site: About PolicyKit. PolicyKit Language Reference Manual. 2007. 2017-11-03. https://web.archive.org/web/20120218163259/http://hal.freedesktop.org/docs/PolicyKit/introduction.html#intro-about. 2012-02-18. dead.
  5. Web site: A Brief History of Sudo . Miller, Todd C . 2007-03-12 . https://web.archive.org/web/20070222125751/http://www.gratisoft.us/sudo/history.html . 2007-02-22 . dead.
  6. Web site: Sudo in a Nutshell. Miller, Todd C. 2007-07-01.
  7. Web site: GKSu home page.
  8. Web site: gksu PolicyKit on Gnome wiki.
  9. Web site: The KDE su Command . Bellevue Linux . 2004-11-20 . 2007-03-12 . https://web.archive.org/web/20070202060822/http://www.bellevuelinux.org/kdesu.html . 2007-02-02 . dead .
  10. Web site: GutsyGibbon/Tribe5/Kubuntu. Canonical Ltd.. Canonical Ltd.. 2007-08-25. 2007-09-18.
  11. You can read more about beesu and download it from Koji
  12. Web site: gksu - a Gtk+ su frontend Linux Man Page. 2007-08-14. https://web.archive.org/web/20110715062644/http://www.penguin-soft.com/penguin/man/1/gksu.html. 2011-07-15. dead.
  13. Web site: User Account Control Prompts on the Secure Desktop. UACBlog. Microsoft. 2006-05-03. 2007-03-04.
  14. Web site: gksu: locking mouse/keyboard not enough to protect against keylogging.
  15. Web site: ptrace Protection.
  16. Web site: Security Features vs. Convenience . Windows Vista Team Blog. Microsoft. Allchin. Jim. James Allchin. 2007-01-23. 2007-03-12.
  17. Web site: Authentication Agent. 2007. 2017-11-15. https://web.archive.org/web/20120218163259/http://hal.freedesktop.org/docs/PolicyKit/introduction.html#intro-about. 2012-02-18. dead.
  18. Web site: Sudoers Manual. Miller, Todd C. 2007-03-12.
  19. Web site: Developer Best Practices and Guidelines for Applications in a Least Privileged Environment. 2007-03-15. MSDN. Microsoft.
  20. Web site: Understanding and Configuring User Account Control in Windows Vista. 2007-03-15. TechNet. Microsoft.
  21. Web site: Accessible UAC Prompts . Windows Vista Blog . Microsoft . 2008-02-13 . https://web.archive.org/web/20080127133403/http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/25/accessible-uac-prompts.aspx . 2008-01-27 . dead.