More desktop security thoughts (was Re: GNOME privilege library)

From: Mike Hearn <mike navi cx>
To: desktop-devel-list gnome org
Subject: More desktop security thoughts (was Re: GNOME privilege library)
Date: Thu, 13 Jan 2005 20:23:34 +0000
OK, so I went shopping, made a stir fry and ate it. Now I'm hopefully
thinking more clearly about these issues. Apologies for the length. 

The desktop industry in general has a Big Problem which these discussions
are just a symptom of, namely that every major desktop OS player
(Microsoft, Apple, Linux community) is pushing a single security model for
totally different environments.

Let me explain. Say there are 3 types of desktop:

- Managed. Think call center, tightly controlled corporate network
  etc. In this setup users do not have administrator access to their
  computers and everything is managed remotely by the ITS dept.

- Mixed. This is a desktop PC connected to a corporate network but
  where the local user has administrator access. I used to work on 
  a desktop like this. Typically it's done because either ITS isn't
  up to the job or because the users are trusted to run the machines
  well (ie in a company of computer programmers ...)

- Home. This is a machine connected to the Internet but which is 
  owned and controlled entirely by one person: it may actually
  have multiple user accounts but they're all trusted, or there
  might be some trivial security (enough to stop little brother
  reading big sisters documents for instance).

In a managed setup you really want the current sort of security, with an
all powerful root user and relatively weak non-root users. But it's not
clear to me that GNOME cares about this setup because in a managed
desktop the administrators will probably be configuring the desktop via
LDAP, or SSH, or some other fancy system designed to manage lots of
desktops. If they do want superuser access to an individual machine they
would have no problem with using the command line. So there's no point in
there being graphical password prompts in this setup because the user
wouldn't know the password and the admin wouldn't be using the local GUI
anyway.

Mixed setups we can treat as home setups for this discussion because the
key point - that the primary user also controls the box - is the same.

So home setups is where it gets interesting. This is where the Big Problem
is.

The root/user distinction is totally useless for home users, in fact it
shouldn't even exist as there are limits to how much you can wallpaper
over it. In home setups the users shouldn't ever be prompted for a
password, there shouldn't even be a login screen if there's only one user.
Maybe there's a BIOS lock to deter physical thieves, or a hard disk
encryption lock to deter physical+information thieves, but from GNOMEs
perspective there shouldn't be any prompting at all.

It's no accident that Windows 98 and MacOS Classic have no security. It's
because for the market they were designed for - home users - it wasn't
needed. Windows 98 implemented some simple user separation but it
certainly did *not* prompt you for a password to change the date/time, or
install new software. That's because there's no point in requiring a
password to do it, as the user is guaranteed to know it.

So if passwords are so useless for home setups why do Linux and Windows
and MacOS X do it?

Well, remember we're dealing with a sample size of 3 here.

Windows XP has an Administrator/User distinction because it's derived from
Windows NT which was originally designed for managed desktops and servers.
You want an admin/user distinction here because boxes with one admin but
many users are very common. 

It wasn't derived from NT because that was the best way to make a usable
desktop operating system - in fact the reason 9x persisted for as long as
it did was because it's the *worst* way to make a usable desktop operating
system and the effort required to make WinNT/Win2000 usable by Harry
Homeuser was significant. It was derived from NT because 9x was based on a
pile of hacks and lacked basic things like a proper kernel, and so NT was
the only stable and future proof codebase they had.

MacOS X has an Administrator/User distinction because Apple realised that
OS 9 was rubbish and they had to do something about it quickly. Writing a
modern desktop OS from scratch is close to being economically
impossible these days, so Apple did huge code imports from NeXT and
FreeBSD. With these imports came the UNIX security model, which lacking
any better ideas (and lacking time/manpower) seemed an improvement over
nothing at all.

Linux was originally built as a server OS and a clone of UNIX,
which was also historically a server OS so it's no surprise that we're now
trying to slap a server security model onto a desktop.

And was Apple right, was it an improvement over nothing at all? Well ...
yes. It used to be the case that nothing at all was OK (Win98), but then
the internet age happened and the words "worm" and "spyware" entered our
vocabulary. So clearly desktops can't get away with no security anymore.
But it's not a binary choice between user/root security and nothing at all.

The problem we have on the desktop is that we're abusing a DAC
(discretionary access control) system like UNIX security instead of using
a MAC (mandatory access control) system like we should. DAC is security
based on who you are. MAC is security based on what you are. 

OK I'm sure if Colin Walters is reading he could explain it much better
than I have but stay with me :)

The problem with security based on who you are is that discrete user
identities implies discrete passwords (or whatever authentication token
we're using). That maps onto the users brain as "I am two people at once"
which is:

a) Really confusing. Try explaining to Lucy Linux that she needs to
   know two passwords because sometimes she is Lucy and sometimes 
   she is this "Root" dude, and one can do more than another. Now try
   explaining *why* root can do more than she can, and why she shouldn't
   just log in as root and save herself all this bother.

b) Broken in all kinds of subtle ways, eg running a regular GUI app
   as root may mysteriously give that app a different theme (Sean touched
   on this already), saving files from that app makes them read only in
   normal mode etc

c) Insecure. Users and groups is a really coarse way of satisfying the
   principle of least privilege which is what home desktop security is
   *really* about - it's not about making sure that only Daddy can set
   the date and time, it's about ensuring that a mistake in one
   line of code doesn't lead to a full system compromise (and therefore
   about protecting the users from the bad guys)

d) Distracting. People end up thinking "But what if the Bad Guys try
   and socially engineer Lucy into giving root access?" even though
   for things like relaying spam, attacking other systems, popping up
   adverts and all the other things malware does you don't actually need
   root.

So MAC systems like SELinux seem to be the key to these discussions. They
allow us to provide a desktop security system tuned for each separate
deployment scenario.

In managed desktops user vs root *and* MAC security is pretty good,
because that reflects the reality that the admins are in charge and it
also allows you to say "Only Foo Web Browser can write to
~/.foobrowser". This is really secure.

In mixed or home desktops user vs root security is harmful because it
doesn't reflect reality, but MAC security isn't: you only really care
about stopping compromised web browsers and email programs running rampage
over the users system.

In *none* of the above scenarios should the user ever be prompted for a
password that they already know. Managed desktops are managed remotely via
SSH and other admin-tools; in Mixed and Home setups the user implicitly
has full control and so a password is bad because it breaks their mental
model and gets in the way.

Right now GNOME is stuck in the middle, because very few systems on which
it ships (really only Fedora Core 3) actually employs MAC based security.
And actually Fedora Core 3 uses DAC+MAC security so it's more a Managed
type desktop than a Home type desktop.  So it's not very helpful for the
GNOME project to say "password prompts are bad so let's not do them"
because it has to work with what it's got, and usually what it's got is a
bad security model. Maybe that will change in future. 

Finally there's the question of how the desktop knows which scenario it's
in. Microsoft and Apple solve that by splitting the product in two: a home
edition which is optimized for the Home setup, and a "Pro" edition which
is optimized for the Managed/Mixed setup. It might be a plan for GNOME to
do something similar eventually: right now we have stuff like Novell
GroupWise support in Evolution which for home users is just clutter.

OK so I know that email was too long, I hope I didn't lose anybody ...

thanks -mike
Follow-Ups:
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Alan Cox
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Miguel de Icaza
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Sean Middleditch
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Havoc Pennington
References:
- GNOME privilege library
  - From: Sean Middleditch
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]