this post was submitted on 31 May 2024
-31 points (29.9% liked)

Linux

47933 readers
1192 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Isn't it enough to just enter your password once to login, then receive a warning whenever you're about to do something potentially dangerous?

If it's such a big security risk, how come the most popular and widely used operating systems in the world and their users seem to be unaffected by it?

I guarantee, most new users coming to Linux from Windows/macOS are going to laugh and look at you funny if you try to justify entering your password again and again and again.

all 36 comments
sorted by: hot top controversial new old
[–] [email protected] 47 points 5 months ago

macos you do

[–] [email protected] 29 points 5 months ago (3 children)

microsoft doesnt want to annoy people, but in a corporate environment this requirement is fully implemented on windows.

i was never under the impression macs belonged in a business environment. maybe apple just doesnt find that level of security important.

[–] [email protected] -5 points 5 months ago (3 children)

Thank you for the informative response. I was unaware Windows machines employed similar behavior in corporate environments.

Do you think, then, that it would be acceptable for Linux to remove these restrictions in home environments?

[–] [email protected] 12 points 5 months ago

You are more than welcome to remove the need for any passwords at all on the linux systems you admin. Good thing about free software is that you decide how you want it, hack up or put up.

[–] [email protected] 8 points 5 months ago (1 children)

no. no reason to expand poor practices into linux because microsoft fucked up. we need 'least access required' methodology even at home because the world is full of bad actors.

if microsoft had correclty implemented security into dos/winx.x we wouldnt have had half the virus issues we did in the late 90s.

i think the other half was caused by activex

[–] [email protected] -4 points 5 months ago (2 children)

I don't think the security issues with windows stem from not having the user enter their password a bunch of times.

[–] [email protected] 4 points 5 months ago

It's Linux. You can remove the restriction yourself.

It's not that hard to either give your user account perma-sudo or to remove the timeout so you only have to enter the password once per login. Slightly more involved would be manually changing which actions require root authentication.

[–] [email protected] 27 points 5 months ago

If it's such a big security risk, how come the most popular and widely used operating systems in the world and their users seem to be unaffected by it?

Are they though? My corporate managed Windows machine either refuses an elevated command or asks me for my password/fingerprint. Same with macOS. Just because you don't secure your Windows machine doesn't mean other do the same.

I guarantee, most new users coming to Linux from Windows/macOS are going to laugh and look at you funny if you try to justify entering your password again and again and again.

the least pressing concern for any Windows/macOS user. Besides, you can install user-wide application without any password requirement, if you want to change something on system level (and lets face it, when does a regular user does that on a regular basis?) you need to have some sort of security.

[–] [email protected] 24 points 5 months ago

On macOS you need to do that quite a couple of times. Changing settings, installing stuff to run in the background, install stuff to open open login, etc. So it is there. Furthermore a lot of programs and guides for linux are written to make it easy so they use sudo but you don't always have to run it as root. But not doing so usually requires more steps. So linux is more restricting but to circumvent that, people use sudo a bit too much.

[–] [email protected] 22 points 5 months ago

You can easily fine tune what requires a password in Linux by editing the /etc/sudoers file.

[–] [email protected] 15 points 5 months ago

Mac uses TouchID for the most part in the GUI, but CLI sudo still asks for your login password, although it can be configured to ask for TouchID as well. The GUI does fallback to having you enter your password if somehow you have a Mac without TouchID.

Windows uses the UAC thing which currently we don't have a great way to do on Linux but should be possible with Wayland (on Xorg you'd just need to script clicking yes and bypass user approval because there's no security). On Windows when the UAC popup pops up and you click yes, you've done the equivalent of entering your password. In enterprise settings, it's not common for it to be configured to actually ask your password, or ask the password of an admin account. So no it's not "good enough" even on Windows under some situations.

On Linux you can configure sudo to use the fingerprint reader or a security key if you want. PAM stands for Pluggable Authentication Module, you can do whatever you want. You can also make it no password at all and sudo just automatically gives you root no questions asked.

The security use case is to prevent software running as your user to have an easy path to getting to root without some form of user approval. That also means if you walk off your desk to refill your coffee nobody can sneak behind you and plop a USB with malware, click yes and leave.

It's doable on Linux with some PAM and Polkit tweaks, just not how it's shipped by default because it's better users voluntarily reduce their security settings than defaulting to minimal security like Windows used to (in particular the XP days before UAC, and UAC did annoy a lot of people when it came in with Vista and 7).

[–] [email protected] 14 points 5 months ago

FYI, you don't need to either on linux. Look up sudo.

[–] [email protected] 12 points 5 months ago* (last edited 5 months ago) (1 children)

Windows is historically a "single user OS" whereas Linux is historically a multi-user OS. They're both multi-user now but the philosophy of these backgrounds results in what you see today.

So under Windows you login "as an admin" and don't need passwords for many things - similar to (but very much not the same as) running Linux as root.

Under Linux you login "as a user" and need to elevate permissions for things which can affect other users on the same system. Typically with sudo these days.

These lines are very much blurring so you can do many things under Linux without a password and some things on Windows require "running powershell as an admin".

[–] [email protected] 1 points 5 months ago (1 children)

NT (and therefore all Windows versions today) always had multi-user security. It's essentially a ported version of DEC Alpha.

On install, the first user is admin, just like the first Linux account is root, or else you wouldn't be able configure the machine.

Windows architecture built on DOS (3.x, 95,etc) lacked any such security, and was developed as a single-user OS (goes back to DOS86).

[–] [email protected] 1 points 5 months ago

NT (and therefore all Windows versions today) always had multi-user security. It’s essentially a ported version of DEC Alpha.

  1. DEC Alpha is a hardware not a software.
  2. I know that WinNT had multi-user capabilities, but I've simplified for conversation.
[–] [email protected] 11 points 5 months ago

I have to do this on both macOS and windows…

You can turn it off but you probably shouldn’t.

[–] [email protected] 8 points 5 months ago

It's not true admin privileges, windows won't let you delete system32 the normal way, Linux on the other hand will tell you good luck and bail as you delete everything

[–] [email protected] 8 points 5 months ago* (last edited 5 months ago) (2 children)

You do need to authorize admin action on Windows and it causes severe security issues, because people do it without thinking all the time.

You can also configure Linux to have this behaviour, but for security reasons it works differently out of the box. Also, some programs, such as many terminal emulators, can cache you PW so you don't have to enter it multiple times.

I use a U2F key for sudo and it's just one touch. One touch you need to sit in front of my computer for.

[–] [email protected] 3 points 5 months ago

Also, some programs, such as many terminal emulators, can cache you PW so you don't have to enter it multiple times.

Terminal emulators don't (or at least shouldn't) do any such thing. sudo itself is responsible for letting you do privilege escalation without password for some time after successfully passing once - whenever you run it and successfully authenticate, it saves your user id, current time and a session identifier (each open shell gets a unique identifier) into a file. Then, when you attempt to do anything, it will check this file to see if you've if you've authenticated within the last few minutes in this terminal, and only ask for a password if you haven't.

For more info, see man sudoers_timestamp

[–] [email protected] 7 points 5 months ago (1 children)

AFAIK the user account created by default on windows will be a full privilege account, so won't need a password to gain admin through UAC. Essentially the same as Linux where you can gain root privileges through sudo by using your own password.

But if you create an account with standard user privileges it will ask your for the password to an administrator account to gain admin. I'm not sure what the linux equivalent of this would be, denying sudo access would be too restrictive so maybe there's an in between where you need the password to an admin user to gain sudo.

[–] [email protected] 2 points 5 months ago

The linux equivalent would probably be using su to switch to an account with sudo access or straight-up to root.

[–] [email protected] 7 points 5 months ago* (last edited 5 months ago)

"You know what's funnier? That theatrics you call User Access Control popup."

[–] [email protected] 5 points 5 months ago

You could just run everything as root or configure sudo without timeout.

[–] [email protected] 2 points 5 months ago

I guarantee, most new users coming to Linux from Windows/macOS are going to laugh and look at you funny if you try to justify entering your password again and again and again.

That makes me think that I always thought that security was a joke included with Microsoft products. Already from the MS-DOS days onward. And I guess the other commenter is right : Microsoft does not want to annoy their users.

[–] [email protected] 0 points 5 months ago (1 children)

I guarantee, most new users coming to Linux from Windows/macOS are going to laugh and look at you funny if you try to justify entering your password again and again and again.

That's nice, but this ain't MacOS or Windows. This is Linux.

Sorry but 20 years of "but this isn't exactly like Winders11!!!one!" starts to grate on me. It's a different OS with a different philosophy and a different workflow. Everbody coming from Windows had to learn to deal with the nuances of that OS as well, nuances they've completely forgotten about because it's second nature.

I don't WANT Linux to be exactly like MacOS and Windows. I want it to stand on its own, with its own ideas on how to run a computer.

[–] [email protected] -1 points 5 months ago

Yeah, but you gotta admit it's possible windows does some things better.

I also think a lot of linux users get tunnel-visioned and believe that something is incorrect simply because it's how another OS does it.