The Slow Evolution of Permissions Improvements

By Larry Seltzer  |  Posted 2006-05-16 Print this article Print

Opinion: Security models for mainstream operating systems are not flexible or powerful enough to do the things we need to do, but most users aren't ready for improvements.

Theres no question that the user-oriented permission model has problems. Its an attempt at a simple facade on top of a complex set of issues.

If mainstream operating systems are still "stuck" with it, its because the alternatives are, to put it kindly, underdeveloped at this point.
A fascinating analysis of "trusted" operating systems by eWEEK Labs Senior Analyst Jason Brooks touches on many of these issues.
As his example of Red Hats Fedora Core 2 shows, once you enable fine-grained security policies and then lock down the system, the way that security experts advocate the system becomes impracticably complex. Too many things were broken on real-world configurations. Subsequent releases offered a less fascist approach and have been improving the tools for admins to turn the security screws slowly so that applications (the whole point of the computers) will work in as secure an environment as can be managed. The vision of a world where advanced security controls work requires that application developers scrupulously document the specific privileges that their applications require, and attempt to use the minimum necessary. Unfortunately, in the real world, developers too often show disdain for such concerns. This is why so many corporate users are running as administrator users (or, basically as bad, Power Users) on their local desktops. Click here to read a review of DesktopStandards PolicyMaker Application Security 2.5.

Windows Vista will at least slow this problem down and allow users to elevate their user privileges on an ad-hoc basis. It will also allow users to run as standard, unprivileged users except for when running applications which the administrator has designated as needing a more-privileged user context. All of this is too complicated for most people, but theres something better thats much more complicated. The trusted operating systems of which Brooks wrote qualify, and even Windows has the capacity for greater control. Its just that Windows doesnt expose the built-in functionality that allows that control. Every running application has a security "token" to which Windows attaches specific privileges. Click here for a complete list of the privileges and heres a few samples:
  • SeCreatePermanentPrivilege—User Right: Create permanent shared objects.
  • SeLoadDriverPrivilege—User Right: Load and unload device drivers.
  • SeShutdownPrivilege—User Right: Shut down the system.
  • SeSystemEnvironment—User Right: Modify firmware environment values.
  • SeSystemtimePrivilege—User Right: Change the system time.
  • SeTcbPrivilege—User Right: Act as part of the operating system.
The free Sysinternals Process Explorer tool will show you all the operative tokens for applications running in the system. Too bad Windows doesnt provide any actual tools, not even bad ones, to manage these privileges. (Actually, there is one tool in the Windows resource kits since Windows 2000 that touches on these capabilities: NTRights.) There are several systems which attempt to bring a management approach to this level of security: Winternals Softwares Protection Manager, DesktopStandards PolicyMaker Application Security. Click here to read a review of Winternals Softwares Protection Manager 1.0

Its good that powerful security management tools are finally becoming available to administrators who have the inclination and the gumption to use them, but this is advanced stuff. One day, mainstream operating systems have to find a way to make true least-privileged access accessible, but were years from that. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel