Comparison of privilege authorization features
Encyclopedia
A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS
, Windows
implementations prior to Windows NT
(and its descendants), CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics
, which began development in the 1960s; it wasn't until UNIX
, BSD, Linux
, and NT
in the late 80s and early 90s that multi-tasking security contexts were brought to x86, consumer machines.
Mac OS
Unix and GNU/Linux
ing the security feature into granting malicious applications higher privileges.
If either gksudo's "lock" feature or UAC's Secure Desktop were compromised or disabled, malicious applications could gain administrator privileges by using keystroke logging
to record the administrator's password; or, in the case of UAC if running as an administrator, spoofing a mouse click on the "Allow" button. For this reason, voice recognition is also prohibited from interacting with the dialog. Note that since gksu password prompt runs without special privileges, malicious applications can still do keystroke logging using e.g. the strace
tool.
dialogs that look like legitimate security confirmation requests. If the user were to input credentials into a fake dialog, thinking the dialog was legitimate, the malicious software would then know the user's password. If the Secure Desktop or similar feature were disabled, the malicious software could use that password to gain higher privileges.
, or in other words, ease of use.
sudo's approach is a trade-off between security and usability. On one hand, a user only has to enter their password once to perform a series of administrator tasks, rather than having to enter their password for each task. But at the same time, the surface area for attack is larger because all programs that run in that tty (for sudo) or all programs not running in a terminal (for gksudo and kdesu) prefixed by either of those commands before the timeout receive administrator privileges. Security-conscious users may remove the temporary administrator privileges upon completing the tasks requiring them by using the
The application only requires authentication once, and is requested at the time the application needs the privilege. Once "elevated", the application does not need to authenticate again until the application has been Quit and relaunched.
However, there are varying levels of authentication, known as Rights. The right that is requested can be shown by expanding the triangle next to "details", underneath the password. Normally, applications use system.privilege.admin, but another may be used, such as a lower right for security, or a higher right if higher access is needed. If the right the application has is not suitable for a task, the application may need to authenticate again to increase the privilege level.
In the case of user interfaces such as the Control Panel in Microsoft Windows, and the Preferences panels in Mac OS X, the exact privilege requirements are hard-coded into the system so that the user is presented with an authorization dialog at an appropriate time (for example, before displaying information that only administrators should see). Different operating systems offer distinct methods for applications to identify their security requirements:
pete ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
DOS
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
, Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
implementations prior to Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
(and its descendants), CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics
Multics
Multics was an influential early time-sharing operating system. The project was started in 1964 in Cambridge, Massachusetts...
, which began development in the 1960s; it wasn't until UNIX
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
, BSD, Linux
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
, and NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
in the late 80s and early 90s that multi-tasking security contexts were brought to x86, consumer machines.
Introduction to implementations
Microsoft WindowsUser Account Control prompt dialog box | User Account Control User Account Control User Account Control is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7 and Windows Server 2008 R2... (UAC): Included with Windows Vista Windows Vista Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs... and later Microsoft Windows Microsoft Windows Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal... operating systems, UAC prompts the user for authorization when an application tries to perform an administrator task. |
Runas Runas In computing, runas is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a computer interactively... : A command-line tool introduced with Windows 2000 Windows 2000 Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the... that allows running a program, control panel applet Control Panel (Windows) The Control Panel is a part of the Microsoft Windows graphical user interface which allows users to view and manipulate basic system settings and controls via applets, such as adding hardware, adding and removing software, controlling user accounts, and changing accessibility options... , or a MMC snap-in Microsoft Management Console Microsoft Management Console is a component of Windows 2000 and its successors that provides system administrators and advanced users an interface for configuring and monitoring the system.- Snap-ins and consoles :... as a different user. Runas makes use of the "Secondary Login" Windows service Windows Service On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as... , also introduced with Windows 2000. This service provides the capability to allow applications running as a separate user to interact with the logged-in user's desktop. This is necessary to support drag-and-drop, clipboard sharing, and other interactive login features. |
Mac OS
Mac OS X Mac OS X Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems... includes the Authenticate dialog, which prompts the user to input their password in order to perform administrator tasks. |
Unix and GNU/Linux
PolicyKit/pkexec PolicyKit PolicyKit is an operating system component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire... : A privilege authorization feature, designed to be independent of the desktop environment in use and already adopted by GNOME GNOME GNOME is a desktop environment and graphical user interface that runs on top of a computer operating system. It is composed entirely of free and open source software... In contrast to earlier systems, applications using PolicyKit never run with privileges above those of the current user. Instead, they indirectly make requests of the PolicyKit daemon Daemon (computer software) In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user... , which is the only program that runs as root. |
|
Sudo, running in Terminal window in Ubuntu | su Su (Unix) The su command, also referred to as super user substitute user, spoof user, set user or switch user, allows a computer operator to change the current user account associated with the running virtual console.... : A command line tool for Unix Unix Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna... . su (substitute user) allows users to switch the terminal to a different account by entering the username and password of that account. If no user name is given, the operating system's superuser Superuser On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor.... account (known as "root") is used, thus providing a fast method to obtain a login shell Shell (computing) A shell is a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel. However, the term is also applied very loosely to applications and may include any software that is "built around" a particular component, such as web... with full privileges to the system. Issuing an exit Exit (operating system) On many computer operating systems, a computer process terminates its execution by making an exit system call. More generally, an exit in a multithreading environment means that a thread of execution has stopped running. The operating system reclaims resources that were used by the process... command returns the user to their own account. |
sudo Sudo sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user... : Created around 1980, sudo is a highly configurable Unix command line tool similar to su, but it allows certain users to run programs with root privileges without spawning a root shell or requiring root's password. |
|
GKSu and GKsudo: GTK+ Graphical Gui Gui or guee is a generic term to refer to grilled dishes in Korean cuisine. These most commonly have meat or fish as their primary ingredient, but may in some cases also comprise grilled vegetables or other vegetarian ingredients. The term derives from the verb, "gupda" in Korean, which literally... frontend to su and sudo. GKsu comes up automatically when a supported application needs to perform an action requiring root privileges. A replacement, "gksu PolicyKit", which uses PolicyKit PolicyKit PolicyKit is an operating system component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire... rather than su/sudo, is being developed as part of GNOME GNOME GNOME is a desktop environment and graphical user interface that runs on top of a computer operating system. It is composed entirely of free and open source software... . |
|
kdesu: A Qt graphical front-end to the su command for KDE KDE KDE is an international free software community producing an integrated set of cross-platform applications designed to run on Linux, FreeBSD, Microsoft Windows, Solaris and Mac OS X systems... . |
|
kdesudo: A Qt graphical front-end to sudo that has replaced kdesu in Kubuntu Kubuntu Kubuntu is an official derivative of the Ubuntu operating system using the KDE Plasma Desktop instead of the Unity graphical environment. It is part of the Ubuntu project and uses the same underlying system. It is possible to install both the KDE Plasma Desktop as well as the Unity desktop on... , starting with Kubuntu 7.10. |
|
ktsuss ktsuss stands for "keep the su simple, stupid", and is a graphical version of su. The idea of the project is to remain simple and bug free. |
|
beesu: A graphical front-end to the su command that has replaced gksu in Red Hat Red Hat Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide.... based operating systems. It has been developed mainly for RHEL Red Hat Enterprise Linux Red Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64... and Fedora Fedora (operating system) Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat... . |
Security considerations
Spoofed input
A major security consideration is the ability of malicious applications to simulate keystrokes or mouse clicks, thus tricking or spoofSpoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
ing the security feature into granting malicious applications higher privileges.
- su and sudo run in the terminal, where they are vulnerable to spoofed input. Of course, if the user was not running a multitasking environment (i.e. a single user in the shell only), this would not be a problem.
- By default, gksudo "locks" the keyboard, mouse, and window focus, preventing anything but the actual user from inputting the password or otherwise interfering with the confirmation dialogConfirmation dialog boxConfirmation dialog is a dialog box that asks user to approve requested operation. Usually this dialog appears before a potentially dangerous operation is performed...
. - By default, UAC runs in the Secure Desktop, preventing malicious applications from simulating clicking the "Allow" button or otherwise interfering with the confirmation dialog. In this mode, the user's desktop appears dimmed and cannot be interacted with.
If either gksudo's "lock" feature or UAC's Secure Desktop were compromised or disabled, malicious applications could gain administrator privileges by using keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
to record the administrator's password; or, in the case of UAC if running as an administrator, spoofing a mouse click on the "Allow" button. For this reason, voice recognition is also prohibited from interacting with the dialog. Note that since gksu password prompt runs without special privileges, malicious applications can still do keystroke logging using e.g. the strace
Strace
strace is a debugging utility for Linux and some other Unix-like systems to monitor the system calls used by a program and all the signals it receives, similar to "truss" utility in other Unix systems...
tool.
- In GNOME, PolicyKit directs the XX Window SystemThe X window system is a computer software system and network protocol that provides a basis for graphical user interfaces and rich input device capability for networked computers...
server to capture all keyboard and mouse input. Other desktop environments using PolicyKit may use their own mechanisms.
Spoofed dialogs
Another security consideration is the ability of malicious software to spoofSpoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
dialogs that look like legitimate security confirmation requests. If the user were to input credentials into a fake dialog, thinking the dialog was legitimate, the malicious software would then know the user's password. If the Secure Desktop or similar feature were disabled, the malicious software could use that password to gain higher privileges.
- Though it is not the default behavior for usability reasons, UAC may be configured to require the user to press Ctrl+Alt+DelControl-Alt-DeleteControl-Alt-Delete is a computer keyboard command on IBM PC compatible systems that can be used to reboot the computer, and summon the task manager or Windows Security in more recent versions of the Microsoft Windows operating system...
(known as the secure attention sequence) as part of the authentication process. Because only Windows can detect this key combination, requiring this additional security measure would prevent spoofed dialogs from behaving the same way as a legitimate dialog. For example, a spoofed dialog might not ask the user to press Ctrl+Alt+Del, and the user could realize that the dialog was fake. Or, when the user did press Ctrl+Alt+Del, the user would be brought to the screen Ctrl+Alt+Del normally brings them to instead of a UAC confirmation dialog. Thus the user could tell whether the dialog was an attempt to trick them into providing their password to a piece of malicious software. - In GNOME, PolicyKit uses different dialogs, depending on the configuration of the system. For example, the authentication dialog for a system equipped with a fingerprint reader might look different from an authentication dialog for a system without one. Applications do not have access to the configuration of PolicyKit, so they have no way of knowing which dialog will appear and thus how to spoof it.
Usability considerations
Another consideration that has gone into these implementations is usabilityUsability
Usability is the ease of use and learnability of a human-made object. The object of use can be a software application, website, book, tool, machine, process, or anything a human interacts with. A usability study may be conducted as a primary job function by a usability analyst or as a secondary job...
, or in other words, ease of use.
Separate administrator account
- su require the user to know the password to at least two accounts: the regular-use account, and an account with higher privileges such as rootSuperuserOn many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
. - sudo, kdesu and gksudo use a simpler approach. With these programs, the user is pre-configured to be granted access to specific administrative tasks, but must explicitly authorize applications to run with those privileges. The user enters their own password instead of that of the superuser or some another account.
- UAC and Authenticate combine these two ideas into one. With these programs, administrators explicitly authorize programs to run with higher privileges. Non-administrators are prompted for an administrator username and password.
- PolicyKit can be configured to adopt any of these approaches. In practice, the distribution will choose one.
Simplicity of dialog
- In order to grant an application administrative privileges, sudo, gksudo, and Authenticate prompt administrators to re-enter their password.
- With UAC, when logged in as a standard user, the user must enter an administrator's name and password each time they need to grant an application elevated privileges; but when logged in as a member of the Administrators group, they (by default) simply confirm or deny, instead of re-entering their password each time (though that is an option). While the default approach is simpler, it is also less secure, since if the user physically walks away from the computer without locking it, another person could walk up and have administrator privileges over the system.
- PolicyKit requires the user to re-enter his or her password or provide some other means of authentication (e.g. fingerprint).
Saving credentials
- UAC prompts for authorization each time it is called to elevate a program.
- sudo, gksudo, and kdesu do not ask the user to re-enter their password every time it is called to elevate a program. Rather, the user is asked for their password once at the start. If the user has not used their administrative privileges for a certain period of time (sudo's default is 5 minutes), the user is once again restricted to standard user privileges until they enter their password again.
sudo's approach is a trade-off between security and usability. On one hand, a user only has to enter their password once to perform a series of administrator tasks, rather than having to enter their password for each task. But at the same time, the surface area for attack is larger because all programs that run in that tty (for sudo) or all programs not running in a terminal (for gksudo and kdesu) prefixed by either of those commands before the timeout receive administrator privileges. Security-conscious users may remove the temporary administrator privileges upon completing the tasks requiring them by using the
sudo -k
command when from each tty or pts in which sudo was used (in the case of pts's, closing the terminal emulator is not sufficient). The equivalent command for kdesu is kdesu -s
. There is no gksudo option to do the same; however, running sudo -k
not within a terminal instance (e.g. through the Alt + F2 "Run Application" dialogue box, unticking "Run in terminal") will have the desired effect.- Authenticate does not save passwords. If the user is a standard user, they must enter a username and a password. If the user is an administrator, the current user's name is already filled in, and only needs to enter their password. The name can still be modified to run as another user.
The application only requires authentication once, and is requested at the time the application needs the privilege. Once "elevated", the application does not need to authenticate again until the application has been Quit and relaunched.
However, there are varying levels of authentication, known as Rights. The right that is requested can be shown by expanding the triangle next to "details", underneath the password. Normally, applications use system.privilege.admin, but another may be used, such as a lower right for security, or a higher right if higher access is needed. If the right the application has is not suitable for a task, the application may need to authenticate again to increase the privilege level.
- PolicyKit can be configured to adopt either of these approaches.
Identifying when administrative rights are needed
In order for an operating system to know when to prompt the user for authorization, an application or action needs to identify itself as requiring elevated privileges. While it is technically possible for the user to be prompted at the exact moment that an operation requiring such privileges is executed, it is often not ideal to ask for privileges partway through completing a task. If the user were unable to provide proper credentials, the work done before requiring administrator privileges would have to be undone because the task could not be seen though to the end.In the case of user interfaces such as the Control Panel in Microsoft Windows, and the Preferences panels in Mac OS X, the exact privilege requirements are hard-coded into the system so that the user is presented with an authorization dialog at an appropriate time (for example, before displaying information that only administrators should see). Different operating systems offer distinct methods for applications to identify their security requirements:
- sudo centralises all privilege authorization information in a single configuration file,
/etc/sudoers
, which contains a list of users and the privileged applications and actions that those users are permitted to use. The grammar of the sudoers file is intended to be flexible enough to cover many different scenarios, such as placing restrictions on command-line parameters. For example, a user can be granted access to change anybody's password except for the root account, as follows:
pete ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
- User Account Control uses a combination of heuristic scanning and "application manifests" to determine if an application requires administrator privileges. Manifest files, first introduced with Windows XP, are XMLXMLExtensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
files with the same name as the application and a suffix of ".manifest", e.g.Notepad.exe.manifest
. When an application is started, the manifest is looked at for information about what security requirements the application has. For example, this XML fragment will indicate that the application will require administrator access, but will not require unfettered access to other parts of the user desktop outside the application:
- Manifest files can also be compiled into the application executable itself as an embedded resourceResource (Windows)In Microsoft Windows, resources are read-only data embedded in EXE, DLL, CPL or MUI files.The Windows API provides for easy access to all applications' resources.-Types:...
. Heuristic scanning is also used, primarily for backwards compatibility. One example of this is looking at the executable's file name; if it contains the word "Setup", it is assumed that the executable is an installer, and a UAC prompt is displayed before the application starts.
- UAC also makes a distinction between elevation requests from a signed executable and an unsigned executable; and if the former, whether or not the publisher is 'Windows Vista'. The color, icon, and wording of the prompts are different in each case: for example, attempting to convey a greater sense of warning if the executable is unsigned than if not.
- Applications using PolicyKit ask for specific privileges when prompting for authentication, and PolicyKit performs those actions on behalf of the application. Before authenticating, users are able to see which application requested the action and which action was requested.
See also
- Privilege escalationPrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
, a term used to describe a type of security exploit - Principle of least privilegePrinciple of least privilegeIn information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
, a security design pattern - Privileged Identity ManagementPrivileged Identity ManagementPrivileged Identity Management is a domain within Identity Management focused on the special requirements of powerful accounts within the IT infrastructure of an enterprise. It is frequently used as an Information Security and governance tool to help companies in meeting compliance regulations and...
, the methodology of managing privileged accounts - Privileged password managementPrivileged password managementPrivileged password management software may be deployed by organizations to secure the passwords for login IDs that have elevated security privileges. This is most often done by periodically changing every such password to a new, random value...
, similar concept to privileged identity management:- i.e., periodically scramble privileged passwords; and
- store password values in a secure, highly available vault; and
- apply policy regarding when, how and to whom these passwords may be disclosed.