Comparison of privilege authorization features

Last updated March 31, 2024

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT (and its descendants), CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Introduction to implementations

Microsoft Windows

User Account Control prompt dialog box

User Account Control (UAC):
Included with Windows Vista and later Microsoft Windows operating systems, UAC prompts the user for authorization when an application tries to perform an administrator task.^[1]

Runas :
A command-line tool and context-menu verb introduced with Windows 2000 that allows running a program, control panel applet, or a MMC snap-in as a different user.^[2] Runas makes use of the "Secondary Login" Windows service, also introduced with Windows 2000.^[3] This service provides the capability to allow applications running as a separate user to interact with the logged-in user's desktop. This is necessary to support drag-and-drop, clipboard sharing, and other interactive login features.

macOS

macOS includes the Authenticate dialog, which prompts the user to input their password in order to perform administrator tasks. This is essentially a graphical front-end of sudo command.

Unix and Unix-like

	PolicyKit/pkexec : A privilege authorization feature, designed to be independent of the desktop environment in use and already adopted by GNOME ^[4] In contrast to earlier systems, applications using PolicyKit never run with privileges above those of the current user. Instead, they indirectly make requests of the PolicyKit daemon, which is the only program that runs as root.
	su : A command line tool for Unix. su (substitute user) allows users to switch the terminal to a different account by entering the username and password of that account. If no user name is given, the operating system's superuser account (known as "root") is used, thus providing a fast method to obtain a login shell with full privileges to the system. Issuing an exit command returns the user to their own account.
	sudo : Created around 1980,^[5]sudo is a highly configurable Unix command line tool similar to su, but it allows certain users to run programs with root privileges without spawning a root shell or requiring root's password.^[6]
	GKSu and GKsudo: GTK+ Graphical frontend to su and sudo.^[7]GKsu comes up automatically when a supported application needs to perform an action requiring root privileges. A replacement, "gksu PolicyKit", which uses PolicyKit rather than su/sudo, is being developed as part of GNOME.^[8]
	kdesu: A Qt graphical front-end to the su command for KDE.^[9]
	kdesudo: A Qt graphical front-end to sudo that has replaced kdesu in Kubuntu, starting with Kubuntu 7.10.^[10]
	ktsuss: ktsuss stands for "keep the susimple, stupid", and is a graphical version of su. The idea of the project is to remain simple and bug free.
	beesu: A graphical front-end to the su command that has replaced gksu in Red Hat based operating systems. It has been developed mainly for RHEL and Fedora.^[11]
	doas : sudo replacement since OpenBSD 5.8 (October 2015)

Security considerations

Falsified/intercepted user input

A major security consideration is the ability of malicious applications to simulate keystrokes or mouse clicks, thus tricking or spoofing the security feature into granting malicious applications higher privileges.

Using a terminal based client (standalone or within a desktop/GUI):su and sudo run in the terminal, where they are vulnerable to spoofed input. Of course, if the user was not running a multitasking environment (i.e. a single user in the shell only), this would not be a problem. Terminal windows are usually rendered as ordinary windows to the user, therefore on an intelligent client or desktop system used as a client, the user must take responsibility for preventing other malware on their desktop from manipulating, simulating, or capturing input.
Using a GUI/desktop tightly integrated to the operating system: Commonly, the desktop system locks or secures all common means of input, before requesting passwords or other authentication, so that they cannot be intercepted, manipulated, or simulated:

PolicyKit (GNOME - directs the X server to capture all keyboard and mouse input. Other desktop environments using PolicyKit may use their own mechanisms.
gksudo - by default "locks" the keyboard, mouse, and window focus,^[12] preventing anything but the actual user from inputting the password or otherwise interfering with the confirmation dialog.
UAC (Windows) - by default runs in the Secure Desktop, preventing malicious applications from simulating clicking the "Allow" button or otherwise interfering with the confirmation dialog.^[13] In this mode, the user's desktop appears dimmed and cannot be interacted with.

If either gksudo's "lock" feature or UAC's Secure Desktop were compromised or disabled, malicious applications could gain administrator privileges by using keystroke logging to record the administrator's password; or, in the case of UAC if running as an administrator, spoofing a mouse click on the "Allow" button. For this reason, voice recognition is also prohibited from interacting with the dialog.^{[ citation needed ]} Note that since gksu password prompt runs without special privileges, malicious applications can still do keystroke logging using e.g. the strace tool.^[14] (ptrace was restricted in later kernel versions)^[15]

Fake authentication dialogs

Another security consideration is the ability of malicious software to spoof dialogs that look like legitimate security confirmation requests. If the user were to input credentials into a fake dialog, thinking the dialog was legitimate, the malicious software would then know the user's password. If the Secure Desktop or similar feature were disabled, the malicious software could use that password to gain higher privileges.

Though it is not the default behavior for usability reasons, UAC may be configured to require the user to press Ctrl+Alt+Del (known as the secure attention sequence) as part of the authentication process. Because only Windows can detect this key combination, requiring this additional security measure would prevent spoofed dialogs from behaving the same way as a legitimate dialog.^[16] For example, a spoofed dialog might not ask the user to press Ctrl+Alt+Del, and the user could realize that the dialog was fake. Or, when the user did press Ctrl+Alt+Del, the user would be brought to the screen Ctrl+Alt+Del normally brings them to instead of a UAC confirmation dialog. Thus the user could tell whether the dialog was an attempt to trick them into providing their password to a piece of malicious software.
In GNOME, PolicyKit uses different dialogs, depending on the configuration of the system. For example, the authentication dialog for a system equipped with a fingerprint reader might look different from an authentication dialog for a system without one. Applications do not have access to the configuration of PolicyKit, so they have no way of knowing which dialog will appear and thus how to spoof it.^[17]

Usability considerations

Another consideration that has gone into these implementations is usability.

Separate administrator account

su require the user to know the password to at least two accounts: the regular-use account, and an account with higher privileges such as root.
sudo, kdesu and gksudo use a simpler approach. With these programs, the user is pre-configured to be granted access to specific administrative tasks, but must explicitly authorize applications to run with those privileges. The user enters their own password instead of that of the superuser or some another account.
UAC and Authenticate combine these two ideas into one. With these programs, administrators explicitly authorize programs to run with higher privileges. Non-administrators are prompted for an administrator username and password.
PolicyKit can be configured to adopt any of these approaches. In practice, the distribution will choose one.

Simplicity of dialog

In order to grant an application administrative privileges, sudo,^[18]gksudo, and Authenticate prompt administrators to re-enter their password.
With UAC, when logged in as a standard user, the user must enter an administrator's name and password each time they need to grant an application elevated privileges; but when logged in as a member of the Administrators group, they (by default) simply confirm or deny, instead of re-entering their password each time (though that is an option). While the default approach is simpler, it is also less secure,^[16] since if the user physically walks away from the computer without locking it, another person could walk up and have administrator privileges over the system.
PolicyKit requires the user to re-enter his or her password or provide some other means of authentication (e.g. fingerprint).

Saving credentials

UAC prompts for authorization each time it is called to elevate a program.
sudo,^[6]gksudo, and kdesu do not ask the user to re-enter their password every time it is called to elevate a program. Rather, the user is asked for their password once at the start. If the user has not used their administrative privileges for a certain period of time (sudo's default is 5 minutes^[6]), the user is once again restricted to standard user privileges until they enter their password again.

sudo's approach is a trade-off between security and usability. On one hand, a user only has to enter their password once to perform a series of administrator tasks, rather than having to enter their password for each task. But at the same time, the surface area for attack is larger because all programs that run in that tty (for sudo) or all programs not running in a terminal (for gksudo and kdesu) prefixed by either of those commands before the timeout receive administrator privileges. Security-conscious users may remove the temporary administrator privileges upon completing the tasks requiring them by using the sudo -k command when from each tty or pts in which sudo was used (in the case of pts's, closing the terminal emulator is not sufficient). The equivalent command for kdesu is kdesu -s. There is no gksudo option to do the same; however, running sudo -k not within a terminal instance (e.g. through the Alt + F2 "Run Application" dialogue box, unticking "Run in terminal") will have the desired effect.

Authenticate does not save passwords. If the user is a standard user, they must enter a username and a password. If the user is an administrator, the current user's name is already filled in, and only needs to enter their password. The name can still be modified to run as another user.

The application only requires authentication once, and is requested at the time the application needs the privilege. Once "elevated", the application does not need to authenticate again until the application has been Quit and relaunched.

However, there are varying levels of authentication, known as Rights. The right that is requested can be shown by expanding the triangle next to "details", underneath the password. Normally, applications use system.privilege.admin, but another may be used, such as a lower right for security, or a higher right if higher access is needed. If the right the application has is not suitable for a task, the application may need to authenticate again to increase the privilege level.

PolicyKit can be configured to adopt either of these approaches.

Identifying when administrative rights are needed

In order for an operating system to know when to prompt the user for authorization, an application or action needs to identify itself as requiring elevated privileges. While it is technically possible for the user to be prompted at the exact moment that an operation requiring such privileges is executed, it is often not ideal to ask for privileges partway through completing a task. If the user were unable to provide proper credentials, the work done before requiring administrator privileges would have to be undone because the task could not be seen through to the end.

In the case of user interfaces such as the Control Panel in Microsoft Windows, and the Preferences panels in Mac OS X, the exact privilege requirements are hard-coded into the system so that the user is presented with an authorization dialog at an appropriate time (for example, before displaying information that only administrators should see). Different operating systems offer distinct methods for applications to identify their security requirements:

sudo centralizes all privilege authorization information in a single configuration file, /etc/sudoers, which contains a list of users and the privileged applications and actions that those users are permitted to use. The grammar of the sudoers file is intended to be flexible enough to cover many different scenarios, such as placing restrictions on command-line parameters. For example, a user can be granted access to change anybody's password except for the root account, as follows:

 pete    ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

User Account Control uses a combination of heuristic scanning and "application manifests" to determine if an application requires administrator privileges.^[19] Manifest (.manifest) files, first introduced with Windows XP, are XML files with the same name as the application and a suffix of ".manifest", e.g. Notepad.exe.manifest. When an application is started, the manifest is looked at for information about what security requirements the application has. For example, this XML fragment will indicate that the application will require administrator access, but will not require unfettered access to other parts of the user desktop outside the application:

<security><requestedPrivileges><requestedExecutionLevellevel="requireAdministrator"uiAccess="false"/></requestedPrivileges></security>

Manifest files can also be compiled into the application executable itself as an embedded resource. Heuristic scanning is also used, primarily for backwards compatibility. One example of this is looking at the executable's file name; if it contains the word "Setup", it is assumed that the executable is an installer, and a UAC prompt is displayed before the application starts.^[20]

UAC also makes a distinction between elevation requests from a signed executable and an unsigned executable; and if the former, whether or not the publisher is 'Windows Vista'. The color, icon, and wording of the prompts are different in each case: for example, attempting to convey a greater sense of warning if the executable is unsigned than if not.^[21]

Applications using PolicyKit ask for specific privileges when prompting for authentication, and PolicyKit performs those actions on behalf of the application. Before authenticating, users are able to see which application requested the action and which action was requested.

Related Research Articles

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role-based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

sudo is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it is its most common usage; however, the official Sudo project page lists it as "su 'do' ". The current Linux manual pages for su define it as "substitute user", making the correct meaning of sudo "substitute user, do", because sudo can run a command as other users as well.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

In computing, a shatter attack is a programming technique employed by hackers on Microsoft Windows operating systems to bypass security restrictions between processes in a session. A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be injected into any other running application or service in the same session, that makes use of a message loop. This could result in a privilege escalation exploit.

There are several forms of software used to help users or organizations better manage passwords:

Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of running processes, CPU and GPU load, commit charge, I/O details, logged-in users, and Windows services. Task Manager can also be used to set process priorities, processor affinity, start and stop services, and forcibly terminate processes.

<span class="mw-page-title-main">Quick Assist</span> Microsoft Windows remote access feature

Quick Assist is a Microsoft Windows feature that allows a user to view or control a remote Windows computer over a network or the Internet to resolve issues without directly touching the unit. It is based on the Remote Desktop Protocol (RDP). It is complemented by Get Help, a feature introduced in Windows 10 that enables the user to contact Microsoft directly but does not allow for remote desktoping or screen sharing.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes.

<span class="mw-page-title-main">Polkit</span> Component of UNIX systems

Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Lesser General Public License.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

Windows XP and Windows Vista differ considerably in regards to their security architecture, networking technologies, management and administration, shell and user interface, and mobile computing. Windows XP has suffered criticism for security problems and issues with performance. Vista has received criticism for issues with performance and product activation. Another common criticism of Vista concerns the integration of new forms of DRM into the operating system, and User Account Control (UAC) security technology.

Shell Control Box (SCB) is a network security appliance that controls privileged access to remote IT systems, records activities in replayable audit trails, and prevents malicious actions. For example, it records as a system administrator updates a file server or a third-party network operator configures a router. The recorded audit trails can be replayed like a movie to review the events as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose.

References

↑ "User Account Control Overview". Microsoft. 2006-10-02. Archived from the original on 2011-08-22. Retrieved 2007-03-12.
↑ "Runas". Windows XP Product Documentation. Microsoft. Retrieved 2007-03-13.
↑ ""RunAs" basic (and intermediate) topics". Aaron Margosis' WebLog. MSDN Blogs. 2004-06-23. Retrieved 2007-03-13.
↑ "About PolicyKit". PolicyKit Language Reference Manual. 2007. Archived from the original on 2012-02-18. Retrieved 2017-11-03.
↑ Miller, Todd C. "A Brief History of Sudo". Archived from the original on 2007-02-22. Retrieved 2007-03-12.
1 2 3 Miller, Todd C. "Sudo in a Nutshell" . Retrieved 2007-07-01.
↑ "GKSu home page".
↑ "gksu PolicyKit on Gnome wiki".
↑ Bellevue Linux (2004-11-20). "The KDE su Command". Archived from the original on 2007-02-02. Retrieved 2007-03-12.
↑ Canonical Ltd. (2007-08-25). "GutsyGibbon/Tribe5/Kubuntu" . Retrieved 2007-09-18.
↑ You can read more about beesu Archived 2011-07-25 at the Wayback Machine and download it from Koji
↑ "gksu - a Gtk+ su frontend Linux Man Page". Archived from the original on 2011-07-15. Retrieved 2007-08-14.
↑ "User Account Control Prompts on the Secure Desktop". UACBlog. Microsoft. 2006-05-03. Retrieved 2007-03-04.
↑ "gksu: locking mouse/keyboard not enough to protect against keylogging".
↑ "ptrace Protection".
1 2 Allchin, Jim (2007-01-23). "Security Features vs. Convenience". Windows Vista Team Blog. Microsoft . Retrieved 2007-03-12.
↑ "Authentication Agent". 2007. Archived from the original on 2012-02-18. Retrieved 2017-11-15.
↑ Miller, Todd C. "Sudoers Manual" . Retrieved 2007-03-12.
↑ "Developer Best Practices and Guidelines for Applications in a Least Privileged Environment". MSDN. Microsoft. Retrieved 2007-03-15.
↑ "Understanding and Configuring User Account Control in Windows Vista". TechNet. Microsoft. Retrieved 2007-03-15.
↑ "Accessible UAC Prompts". Windows Vista Blog. Microsoft. Archived from the original on 2008-01-27. Retrieved 2008-02-13.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "User Account Control Overview". Microsoft. 2006-10-02. Archived from the original on 2011-08-22. Retrieved 2007-03-12.

[2] "Runas". Windows XP Product Documentation. Microsoft. Retrieved 2007-03-13.

[3] ""RunAs" basic (and intermediate) topics". Aaron Margosis' WebLog. MSDN Blogs. 2004-06-23. Retrieved 2007-03-13.

[4] "About PolicyKit". PolicyKit Language Reference Manual. 2007. Archived from the original on 2012-02-18. Retrieved 2017-11-03.

[5] Miller, Todd C. "A Brief History of Sudo". Archived from the original on 2007-02-22. Retrieved 2007-03-12.

[Sudo_Nutshell-6] 1 2 3 Miller, Todd C. "Sudo in a Nutshell" . Retrieved 2007-07-01.

[7] "GKSu home page".

[8] "gksu PolicyKit on Gnome wiki".

[9] Bellevue Linux (2004-11-20). "The KDE su Command". Archived from the original on 2007-02-02. Retrieved 2007-03-12.

[10] Canonical Ltd. (2007-08-25). "GutsyGibbon/Tribe5/Kubuntu" . Retrieved 2007-09-18.

[11] You can read more about beesu Archived 2011-07-25 at the Wayback Machine and download it from Koji

[12] "gksu - a Gtk+ su frontend Linux Man Page". Archived from the original on 2011-07-15. Retrieved 2007-08-14.

[13] "User Account Control Prompts on the Secure Desktop". UACBlog. Microsoft. 2006-05-03. Retrieved 2007-03-04.

[14] "gksu: locking mouse/keyboard not enough to protect against keylogging".

[15] "ptrace Protection".

[Allchin-16] 1 2 Allchin, Jim (2007-01-23). "Security Features vs. Convenience". Windows Vista Team Blog. Microsoft . Retrieved 2007-03-12.

[17] "Authentication Agent". 2007. Archived from the original on 2012-02-18. Retrieved 2017-11-15.

[18] Miller, Todd C. "Sudoers Manual" . Retrieved 2007-03-12.

[19] "Developer Best Practices and Guidelines for Applications in a Least Privileged Environment". MSDN. Microsoft. Retrieved 2007-03-15.

[20] "Understanding and Configuring User Account Control in Windows Vista". TechNet. Microsoft. Retrieved 2007-03-15.

[21] "Accessible UAC Prompts". Windows Vista Blog. Microsoft. Archived from the original on 2008-01-27. Retrieved 2008-02-13.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]