Re: Administrator Accounts

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Nick FitzGerald wrote:
> Vicky Røde wrote:
>
> > According to uac's own blog (http://blogs.msdn.com/uac/), users will run
> > as a standard user even administrators. vista will be implementing
> > something similar to sudo to which i say, about time.
>
> So the security model of Vista is designed to deliberately (and 
> irreversably??) break all those "mission critical" apps written way 
> back before any cared that much about security (because they hadn't 
> heard about that "Internet thing" yet) and all those more recent apps 
> written by a pack of gibbons that (read my recent post in this thread 
> for the rest...)??
>
> Wow -- that will ensure no-one runs it...

The post you're responding to vastly oversimplifies it.  UAP (or UAC
now) causes the interactively logged-on administrator to run as a normal
user.  However, Vista allows you to selectively elevate an application
to full privilege which can be used to run one of those least-privilege
disasters with your full rights.

Vista uses Application Impact Management (AIM) to handle some of those
applications that write in 'no-no' directories like the system directory
or their install folders.  If access is denied to the location of a
write attempt to resources like the registry or a file (e.g., a
temporary file in a poorly-thought-out place, as you outline), the user
gets his/her own copy of the file and can continue to use the
application as if it were able to alter the file in question.

This is the root of the groan at "poly-instantiated" files earlier in
the thread.  If a broken application writes to the system directory,
program files, etc., it will silently be redirected into a user-only
directory that will contain the modified files.

I can picture a few nightmare scenarios that would massively clog up
that shadow directory (e.g., applications that assume users are able to
install software updates), but I'd imagine that AIM could be
enabled/disabled on a case-by-case basis.

If AIM is implemented in a reasonably intelligent manner (not a given,
necessarily) it could very well eliminate a few of the needless
administrative-privilege dependencies in today's applications.

Some apps will continue to require full administrative privileges,
simply because they use functionality that shouldn't be accessible to
users.  These include things like Backup, Policy Editors, etc.  If
you're an administrator limited by Vista's UAC, you can elevate those
applications up to full rights with the click of a button.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFD/RLLfp4vUrVETTgRA/XYAKCGclsY6wpUReXFjLZZU4TV59ne4gCaA2G5
wiYJOlPq7FfE28Ak7QPwYBo=
=/4AS
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.