Forgot your password?
typodupeerror
Security Operating Systems Software Windows IT

"Very Severe Hole" In Vista UAC Design 813

Posted by kdawson
from the she-said-he-said dept.
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
This discussion has been archived. No new comments can be posted.

"Very Severe Hole" In Vista UAC Design

Comments Filter:
  • by KingSkippus (799657) * on Tuesday February 13, 2007 @05:08PM (#18003076) Homepage Journal

    There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.

    Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.

    The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.

    After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.

    Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.

    Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!

    If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.

    As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.

    • by dotpavan (829804) on Tuesday February 13, 2007 @05:13PM (#18003166) Homepage
      offtopic, yet:

      no doubt, thats why Dell is marketing its harware for Vista as great for "booting the OS, w/o running apps or games [googlepages.com]" (link via this [dell.com])

      Since when did booting an OS become a "feature" of the OS?

    • by CheeseburgerBrown (553703) on Tuesday February 13, 2007 @05:16PM (#18003226) Homepage Journal
      I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.

      "What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."

      This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.

      Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)

      • by an.echte.trilingue (1063180) on Tuesday February 13, 2007 @05:43PM (#18003698) Homepage
        You know what really gets me about the annoying Vista security model? It's that the one in XP isn't THAT bad, its just the default configuration that is THAT bad. If you (1) password protect the "administrator" account and (2) run as a non-admin user when not doing admin things (most of the time), you will eliminate many problems.

        I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.

        Take care

        -mat

        • by AeroIllini (726211) <aeroillini&gmail,com> on Tuesday February 13, 2007 @08:01PM (#18005540)

          I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.

          You know, if any *nix software required the user to be root to run, we would string the developers up alongside the guy who thought Clippy would be a good idea.

          Why should it be any different for third-party applications requiring Administrator privileges to run on Windows?

          Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model. After all, a virus in *nix could conceivably blow away a user directory, but unless it's exploiting a buffer overflow or other coding error hole, it can't take down the system. The same is possible in Windows, but not available by default to your average Dell user.
          • by mpe (36238) on Wednesday February 14, 2007 @03:54AM (#18008946)
            You know, if any *nix software required the user to be root to run, we would string the developers up alongside the guy who thought Clippy would be a good idea.

            Presumably you mean "any *nix software which claimed to be some kind of ordinary user application".
            You'd probably also want to ensure that the software itself was wiped from the face of the planet, since if the "developer" dosn't know about the setuid permission bit it's rather unlikely that they they know enough to write software which has any chance of being bug free...

            Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model.

            In theory XP's permissions system is more capable than that on unix type systems. Since every permission is an ACL (including deny options, thus you could say "Any user in accounts except for Anne and Bob can do this..) In practice it appears even Microsoft have problems securing Windows properly.
    • by tiltowait (306189) on Tuesday February 13, 2007 @05:16PM (#18003232) Homepage Journal
      Video version of the above commentary here [apple.com].
    • by nuzak (959558) on Tuesday February 13, 2007 @05:17PM (#18003242) Journal
      You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to turn your machine into a child porn and warez server, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay?

      One of these things is not like the others,
      One of these things just doesn't belong,
      Can you tell which thing is not like the others
      By the time I finish my song?
    • Re: (Score:3, Funny)

      by minus_273 (174041)
      seems like you are coming to a sad realization [apple.com] cancel or allow?

    • Re: (Score:3, Informative)

      by Rycross (836649)
      Er what? For me, it only gave the nag screen when accessing the control panel, installing software, running software with administrative priveledges, or running Visual Studio. The Visual Studio thing is annoying, but other than that, all of the other things are the exact same sort of things that I have to sudo for in Linux. Except I'm not having to enter a password, just click a box. I'm not sure where the big gripe comes from, and honestly I feel like people are blowing it way out of proportion. Unles
      • by SteveXE (641833) on Tuesday February 13, 2007 @06:28PM (#18004368)
        Im with you. I get annoyed pretty quick when it comes to crap popping up on my screen but I've been running Vista since launch and it really doesnt bother me. Im kinda glad its asking if its ok to do some of these things. Its already prevented one program that was piggy backing on another app I downloaded from installing. I downloaded the program which I trusted from a source I trusted. Well guess what was hidden in the install that vista blocked from auto running? Spyware!

        Everyone seems to be making a huge deal out of nothing and they alway get +5 moderation for doing so. If you dont like UAC then shut it off and move on, its not that hard...oh wait I forgot. Microsoft sucks no matter what they do!
    • by Anonymous Coward on Tuesday February 13, 2007 @05:28PM (#18003452)
      I've been running Vista RTM since release and I hardly see any UAC prompts. The only times are when I run VMware or install a program.

      You want to run an application, is that okay?
      That's the applications fault. Most applications shouldn't need administrative rights to run, and if they've been written properly they won't prompt. WinRAR 3.61 never prompts for me, but 3.62 has UAC prompts for everything. AFAIK "Windows XP Certified" programs require programs to be written so that they can run without elevated privileges so this is nothing new. People just assumed that everyone would run in an Administrator account and ignored those guidelines.

      You want to copy a file, is that okay?

      That never happens unless you're copying files into protected directories such as Program Files or the Windows directory. I copy files around all the time without UAC prompts because I keep them in my User directories or an external hard drive.

      You want to change your desktop background, is that okay?
      This is just FUD. That never happens. If you right click on an image in IE7 and set it to background a regular IE prompt will appear, but no UAC.

      You want to copy text from IE7, is that okay?
      I can copy text just fine, doesn't seem to prompt for me.

      You want to delete an old text file, is that okay?
      See above, only in restricted directories.

      You want to paste text into a form field in IE7, is that okay?
      I just tried copy and pasting info into the login page at Bank of America and I get no prompts. Even copy and pasting into sensitive fields such as "Social Security Number" on a Citibank credit card application resulted in zero prompts.

      UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.

      MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).
    • by giafly (926567) on Tuesday February 13, 2007 @05:35PM (#18003550)
      The truth is out. Microsoft didn't kill clippy [cnn.com] in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing [eweek.com] questions.

      This link allegedly tells you how to turn the questions off [microsoft.com], but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?
    • by EXMSFT (935404) on Tuesday February 13, 2007 @05:39PM (#18003612)
      UAC is so amazingly, fundamentally flawed. Has been from the beginning. As you noted, it's susceptible to user numbness. It's also susceptible to the dancing pigs phenomenon, something mentioned by Microsoft's own Steve Riley (see http://www.microsoft.com/technet/community/columns /secmgmt/sm0405.mspx [microsoft.com], and search for the words "dancing pigs".

      Mac has issued a salutation. Allow or deny? Comedy gold, and yet Apple hit the nail on the head.

      My expectation is that at least 50% of Windows Vista consumers will turn UAC off entirely, and the remaining 50% will ignore it (psychologically disable it) to the point that it may as well be disabled - especially applies in the enterprise computing world where Joe won't be allowed to turn it off, but still wants to do whatever he wants. Meaning that in the default configuration of users as hobbled admins, every Vista user is then an admin. Just like they are in XP. Really validates 5 years of hard work on security.
    • by The MAZZTer (911996) <<megazzt> <at> <gmail.com>> on Tuesday February 13, 2007 @05:48PM (#18003776) Homepage

      NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.

      Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.

    • Apple got it right (Score:5, Insightful)

      by ruiner13 (527499) on Tuesday February 13, 2007 @05:49PM (#18003784) Homepage
      There are 2 ways to install software.

      1. Drag application folder where ever you want it
      2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password

      How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.
  • So what's new? (Score:3, Insightful)

    by jmac880n (659699) on Tuesday February 13, 2007 @05:10PM (#18003108)

    I believe that even RPM on linux runs the install scripts with admin access...

    • Re: (Score:3, Informative)

      by drinkypoo (153816)

      I believe that even RPM on linux runs the install scripts with admin access...

      If you install an RPM of unknown providence, you deserve what you get.

      Otherwise, the packages are presumed to have been tested by the maintainers and to not destroy your system.

      There is no such structure in Windows-land. You clearly do not understand how the system works if you think the two are comparable.

    • Re:So what's new? (Score:5, Informative)

      by DoofusOfDeath (636671) on Tuesday February 13, 2007 @05:15PM (#18003220)

      I believe that even RPM on linux runs the install scripts with admin access...

      Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.
      • by Sycraft-fu (314770) on Tuesday February 13, 2007 @05:22PM (#18003326)
        If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.
      • Re: (Score:3, Interesting)

        by lukas84 (912874)
        I'm sorry, but you are wrong.

        A regular user without admin rights can't run any program with admin privileges, ever. Of course said user can use runas (or their graphical counterpart), and give the program U:PW for administrative privileges.

        Now, the default user Vista creates at install time is an administrator - but the default token said user gets is the same of a regular user. Now, if you want to run a setup program, Vista will elevate the privileges of such administrator accounts to the administrator lev
    • by mmell (832646) <mmell@hotmail.com> on Tuesday February 13, 2007 @05:16PM (#18003230)
      Let's say rather that you need root authority to install rpm packages for use by all users.

      rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.

      By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).

      RTFM.

    • A bit different... (Score:3, Informative)

      by eklitzke (873155)
      I am far from an RPM guru... but I have written a few in my day. Basically the way that an RPM works is you write a spec file which is just a script that tells RPM what actions to perform to install the actual binary. For example, put this file here, change its permissions, restart the running daemon associated with this package, etc. AFAIK the set of commands that you can give to RPM is limited, and I believe that you are not able to tell it to do things like load kernel modules. So sure, if you install an
  • by Lethyos (408045) on Tuesday February 13, 2007 @05:11PM (#18003118) Journal

    Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.

    • Re: (Score:3, Informative)

      by drinkypoo (153816)

      Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.

      Just to be a pedant, I would like to mention that you can in fact do this on Windows. However, applications developers seem to be in love with the registry, despite the fact that it really offers them no benefits whatsoever. I mean, it's slower than just put

  • by croddy (659025) on Tuesday February 13, 2007 @05:11PM (#18003120)
    Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.
  • by gvc (167165) on Tuesday February 13, 2007 @05:12PM (#18003142)
    Ease of use and compatibility with DOS/Windows is a major reason that Microsoft got us into this security mess. The default user in XP was an administrator with no login password. Non-priveleged accounts were practically useless, mainly because you couldn't install any software using them. Now Vista is touted as allowing non-priveleged accounts, but the price you pay is that any old installer is priveleged. What an advance!


    While I'm at it, why does a printer (or other non-intrusive peripheral) driver have to have unfettered access to the life blood of the OS?

  • Further proof (Score:5, Insightful)

    by Anonymous Coward on Tuesday February 13, 2007 @05:15PM (#18003214)
    ...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.

    When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.

    The one thing Apple did that Microsoft really ought to copy, they don't. Figures.
    • Re: (Score:3, Interesting)

      by TheRaven64 (641858)

      When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up?

      They did. It's called Singularity, and is a very interesting system (although somewhat reminiscent of JNode, particularly all of the things the claim are 'novel' about it). The trick is not re-writing Windows, it's selling the re-written Windows. They did very well to get everyone to move from DOS to NT. Now they have quite a nice kernel (although I'm not convinced it will scale to more than 64 cores without a significant redesign), and a load of bolted-on compatibility crap.

      While I'm rambling incoh

  • What? (Score:5, Interesting)

    by jamesshuang (598784) on Tuesday February 13, 2007 @05:16PM (#18003234) Homepage
    So let me get this straight... deleting a shortcut [flickr.com] brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?
  • by ThatsNotFunny (775189) on Tuesday February 13, 2007 @05:16PM (#18003238)
    Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.
  • by MarkGriz (520778) on Tuesday February 13, 2007 @05:18PM (#18003266)
    Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?

    I guess MS didn't learn anything from id.

  • Troubling ... (Score:5, Interesting)

    by eck011219 (851729) on Tuesday February 13, 2007 @05:29PM (#18003456)
    ... particularly because Vista was supposed to address some of the problems Microsoft had when trying to balance security and ease of use in XP. We now live in a very dangerous time as far as digital stuff is concerned, and I think continuing to hide as much security from people as possible (while paying lip service to it in other ways like UAC) is foolish. End users are going to have to learn to be careful, and learn a little bit about security. Cars didn't used to have locks, either. Times change, and people have to adapt to it to some extent.

    That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.

    My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.

    I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.
    • Re: (Score:3, Insightful)

      by mandelbr0t (1015855)

      I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.

      Yes, it is a matter of responsibility. You (the person surfing the internet, loading the truck, drinking from the tubes, whatever) are responsible for your own privacy while online. Period. There's not a law in the world that will magically turn off all viruses, trojans and malware overnight. However, what will happen is that end-user products will improve to the point where it's a turnkey solution, and a simple verification of some basic settings will protect you from all but the highly organized and crim

  • by gstoddart (321705) on Tuesday February 13, 2007 @05:29PM (#18003458) Homepage

    Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use.

    Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.

    Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.

    I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.

    This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.

    This just makes me laugh.

    Cheers
  • by The MAZZTer (911996) <<megazzt> <at> <gmail.com>> on Tuesday February 13, 2007 @05:54PM (#18003860) Homepage

    Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not; and so Windows has to guess. The filename is a perfectly good indicator, as most setups will need elevation (Program Files is not writable without elevation). Windows uses other factors too; it can detect Windows Installers, NSIS installers, and a couple of others regardless of the filename.

    If you don't like this automatic detection you can turn it off via the Group Policy Editor. It's under the global Computer settings under Security Settings somewhere, with the rest of the UAC options. Remember you'll have to manually launch installers elevated now, although Windows does try to detect when installs fail and will offer to try elevation and XP compatibility mode automatically.

    Myself, I actually made my computer less secure by turning off the secure desktop (the screen resolution change that happens every time a UAC prompt comes up). I don't want Windows yanking me away from whatever I'm doing because I got bored waiting for the UAC prompt to appear then all of a sudden it decides to finally show up and hog keyboard/mouse focus. Sometimes if your computer is busy the UAC prompt won't even appear for 5-10 seconds, and you're sitting at a useless but very secure desktop alone for that time. So I turned it off and now they appear on the normal desktop. Of course they could potentially be sent window messages now by any app; but I don't let just any app run on my computer. I was safe back when I used XP SP1 and I could turn UAC off if I wanted to and still be safe.

  • by RzUpAnmsCwrds (262647) on Tuesday February 13, 2007 @06:32PM (#18004416)
    Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!

    VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?

    Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.

    As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.

    Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.
    • As for the article - installers pretty much have to elevate.

      I would argue this notion is fundamentally wrong.

      An installer should only have to elevate if it has to modify the system, or possibly existing applications in some way.

      I don't have to elevate for all Linux installations for example if I am not going to install something in /bin, but instead install a local bin directory.

      In OS X you can install an application just fine without elevation, unless again it requires system access - but most software is
  • by EMB Numbers (934125) on Tuesday February 13, 2007 @06:56PM (#18004704)
    1) So, all Vista installers run with admin. priv.
    2) Installing a downloaded Tetris game allows the game installer to change virtually anything in the system.

    Why does a game need an installer at all ? Why not just unzip the game into your user account/home directory or better yet drag the game icon to the place you want it ? Why do Windows applications all seem to need an installer ?

    On OS X and NeXTstep before it, application icons are actually covers for directories containing all of the support files including executables need by the application. Furthermore, applications are not supposed to assume that they can write to their own directory. This is convenient for running applications from servers without installing on the local machine or for running directly off a CD-ROM. If an application needs to store user data or write configuration files, there are standard places to put the files. When needed, the individual application copies files to standard places using the user's permissions and not admin permissions.

    The first time any application is run, the user is asked if it is OK. If some crap is downloaded and executed unintentionally, the user is given a chance to say WTF and stop it. Any time any application needs privileges beyond the user's default privileges, an admin passwd is required.

    No installers (except in crap-ware and unusual circumstances and even then they require an admin password for upgraded privileges!
    Remarkable little user irritation.

    Why can't Microsoft copy this behavior ? It has been for sale since 1988.

    OS X isnt perfect, but sometimes it is better.
  • by DigitAl56K (805623) on Tuesday February 13, 2007 @07:38PM (#18005278)

    From the NSIS (Nullsoft Scriptable Install System) documentation:

    RequestExecutionLevel none|user|highest|admin
    Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.

    It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.

    More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".

    So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin.

Repel them. Repel them. Induce them to relinquish the spheroid. - Indiana University fans' chant for their perennially bad football team

Working...