Re: Working Within the System

From: Martin Ling (martin@nodezero.org.uk)
Date: Mon May 01 2000 - 04:42:44 MDT


On Sun, Apr 30, 2000 at 10:55:14PM -0400, Michael S. Lorrey wrote:
> Martin Ling wrote:
> >
> > On Sun, Apr 30, 2000 at 08:30:43PM -0400, Michael S. Lorrey wrote:
> > >
> > > Windows is not incapable of priviledge levels or access restrictions. It
> > > is merely installed by the typical user without any. That is a matter of
> > > laziness rather than lack of capability.
> >
> > No, Matt referred to Windows 95, which has *no* system of file
> > permissions whatsoever. Using a Win95/98 system is comparable to having
> > a Unix system in which everybody logs in as root.
>
> As I said, no. That is just the typical consumer installation. However
> anyone experienced with administering win95/98 machines on a network
> that utilizes groups and user logins knows that this is not so.

I do happen to be experienced with this, actually. Whilst you can of
course set permissions to network resources, the local machine is still
vulnerable (there is no ownership/permission information on a VFAT
filesystem). The so-called restrictions you can put in place depend on
simply removing the user's options to do things in those programs which
you can instruct to do so (since this includes the Explorer shell, it
*appears* pretty comprehensive - they will be told they cannot run the
executable files they try, etc) - but programs, once running, still have
full priviledges. Ask any clever schoolkid how they get around the
'security' on the Win95/98 machines at school to run a game - it won't
let them run the executable, so they look for an application which they can
trick into spawning the program for them. Object Packager used to be a
good candidate, just OLE-embed a link to the program in a Word document
and double click. Now WinZip is often available - tell it to open an
.exe file (a feature it has so it can extract from self-extractors), and
it will politely ask you if you wish to execute it.

It's all basically an extended version of the Windows 3.1 trick of
setting [Restrictions] in PROGMAN.INI to hide the 'File' menu :)

Unix systems handle user authentication and permissions at the basic
system level, making it impossible to override. NT does the same. But
not Win95/98.

Martin

-- 
+--------------------------------------------------------+
| Martin J. Ling              Tel: +44 (0)20 8863 2948   |
| martin@nodezero.org.uk      Fax: +44 (0)20 8248 4025   |
| http://www.nodezero.org.uk  Mobile: +44 (0)7940 482675 |
+--------------------------------------------------------+



This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:10:04 MDT