Least Privilege, User Account Control, and Setuid
Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012
Windows® 7 provides a simple mechanism for running end-user accounts with standard user privileges, while eliminating the need for administrator privileges when performing common tasks, such as installing a printer driver or connecting to a wireless network. This fundamental shift helps to provide security at the operating system level by preventing malicious software (also called malware) and root kits from damaging company-wide files and settings.
User Account Control (UAC) is based upon the security theory of least privilege, the concept that users should have the absolute minimum privilege required to perform assigned tasks. Changes in Subsystem for UNIX-based Applications that are compatible with UAC include use of the Least-privilege User Account (LUA).
User Account Control
User Account Control is a security feature in Windows 7 that was introduced with Windows Vista.
The primary goal of User Account Control is to reduce the exposure and attack surface of the Windows 7 operating system by requiring that all users run in standard user mode, and by limiting administrator-level access to authorized processes. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malicious software that has infected their computer.
By default, Windows 7 runs every application as a standard user even if the current user is logged on as a member of the Administrators group. Conversely, when users attempt to launch an application that has been marked as requiring administrator permissions, Windows 7 prompts them to confirm their intention to do so. Only applications running with administrator privileges can modify system and global settings and behavior.
For more information about User Account Control, see the Microsoft Web site topic "Understanding and Configuring User Account Control in Windows Vista" (http://go.microsoft.com/fwlink/?LinkId=70242).
User Account Control and least privilege in Subsystem for UNIX-based Applications
When a Subsystem for UNIX-based Applications user who is a member of the Administrators group launches an application, shell, or other task, the applications run in the security context of the standard user.
The following example demonstrates how User Account Control can prevent users who are members of the Administrators group from performing administrative tasks without elevated privilege.
User A is a member of the Administrators group, and wants to create a new directory called test in the / (root) directory. Creating new directories in the root directory is allowed only by members of the Administrators group. However, although User A is a member of the Administrators group, User A cannot create the new directory because of LUA restrictions. User A opens a Korn shell with elevated privileges and is allowed to create the test directory in root.
To run an application or perform tasks with elevated privileges, see the following procedures.
How to run an application as an administrator
With Subsystem for UNIX-based Applications and its download package of tools and utilities installed, there are two ways to run an application as an administrator.
Using the Windows interface
To run an application in the Windows user interface that requires administrative privileges, perform the following steps.
To run an application as the administrator in the Windows interface
Right-click the application executable file.
On the shortcut menu, click Run as administrator .
Using a UNIX-based command line
To run an application in the UNIX-based Korn shell environment that requires administrative privileges, perform the following steps.
To run an application as the administrator in a Korn shell
Click Start , click All Programs , click Subsystem for UNIX-based Applications , and then point to Korn shell .
Right-click Korn shell , and then click Run as administrator .
When you are prompted to allow the shell to run as administrator, click Yes .
Run the program that requires Administrator privileges.
When you have finished running the application that requires elevated privilege, close the shell session.
To perform other tasks in the UNIX-based shell environment that do not require Administrator privileges, open a new shell session without using the Run as administrator command.
EnableSuToRoot registry key
User Account Control is enabled by default. When User Account Control is enabled, any application or task that impersonates another user who is a member of the Administrators group (by using the su , cron , or login utilities, setuid , any of the setuid or exec_asuser family of calls, as examples) always runs in the security context of a standard user account.
|When an application impersonates a standard user, it will have the complete security context of a standard user. For more information about standard users, see the Microsoft Web site topic "Developer Best Practices and Guidelines for Applications in a Least Privileged Environment," Introduction section (http://go.microsoft.com/fwlink/?LinkId=70243).|
With default settings, an application cannot impersonate the root user. You can control this behavior by modifying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA\EnableSuToRoot .
How to modify the EnableSuToRoot registry key
|The Administrator account is disabled by default in Windows 7 and Windows Server 2008 R2 to help protect computers and data from access by unauthorized or malicious users, and it must be enabled for users to impersonate the root user or Administrator. Because the Administrator account must first be enabled to change the setting of the EnableSuToRoot registry key, the procedure to complete this task immediately follows. You must be a member of the Administrators group on the local computer to complete the following procedure.|
To enable the Administrator account
Click Start , right-click Computer , and then click Manage .
In the hierarchy pane of the Computer Management snap-in, open Local Users and Groups .
Select Users .
In the results pane, right-click Administrator , and then click Properties .
Clear the check box for the Account is disabled option.
Click OK .
Close the Properties window, and then close the Computer Management snap-in.
Perform the following steps to change the setting of the EnableSuToRoot registry key after you install Subsystem for UNIX-based Applications.
To change the setting of the EnableSuToRoot registry key
Click Start , click in the Start Search text box, and type regedit to open Registry Editor.
In the hierarchy pane, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA .
In the results pane, double-click EnableSuToRoot .
In the Value data box, enter 0 to disallow impersonation of the root user, or 1 to allow it.
The default setting is 0.
Click OK .
Close Registry Editor; if prompted, save your changes.
When the value of this key is set to 0 (the default setting), impersonation of the root user is disallowed. When the value is set to 1, impersonation of the root user is allowed. When an application impersonates the root user or Administrator account, the application has the administrative security context of the root (Administrator) user.
Setuid and Administrative Privilege
If users who are members of the Administrators group attempt to mark applications with the setuid attribute, they would succeed only if they are allowed to run applications and perform tasks in an administrative security context.
The following is an example of how to mark the binary file /bin/regpwd , which is typically marked with the setuid attribute:
Open a Korn shell (ksh) with elevated privilege as described in this topic.
chmod +s /bin/regpwd
and then press
to close the ksh session.