6
2
Is it correct to say that Windows UAC is conceptually the same as Linux sudo?
Can you point out the differences between the two?
WinWin
Posted 2011-02-08T03:40:20.653
Reputation: 850
Windows UAC vs. Linux sudo
Answers
3
UAC elevates the currently logged in user by giving it a system privilege needed to do something marked as needing administrator rights.
- If you are an administrator, you will be asked to confirm that you wish to grant the process administrative access
- If you are standard user, you will be prompted to enter credentials of an administrator account
The point of UAC is to ensure that the actual physical user with administrative privileges wants an action to happen, not an automated process. There are three ways in which a process can run elevated:
- the user can right-click the program and choose "Run as Administrator"
- the program is manifested for an integrity level of
requireAdministrator - the program is manifested for an integrity level of
highestAvailableand the user is an administrator
Sudo elevates the currently logged in user by changing the current user to root, or another user, and executes a command as that user. The list of commands and who can do what is defined in /etc/sudoers. Sudo does ask for a password, your password, but caches it for a time so you don't have to re-enter it. The point of sudo is allow a limited number of normal users to execute some commands that need to run as root, or other users.
Some things in Windows, such as installing devices, will ask for an administrator password if they do not have proper privileges to do something. This is somewhat like sudo, but unless you customize your rights assignments, users, and groups under Windows, any administrator can authorize the action.
LawrenceC
Posted 2011-02-08T03:40:20.653
Reputation: 63 487
1Just to expand this, you can actually set what binaries (.EXEs) trigger an UAC prompt by marking them as Run as administrator on the compatibility options, you can only turn these back to non-UAC though, not EXEs that were made to need Administrator privileges. – arielnmz – 2015-03-02T01:04:12.867
1Very inaccurate to be marked as answer. UAC allows to prompt for another user credentials if the current user doesn't have enough privileges. UAC actually has some command prompt mode using Runas – JuanK – 2016-02-10T18:53:21.297
@JuanK, is that somewhat more accurate? Reflecting on this you are right. – LawrenceC – 2016-02-10T19:50:16.677
1It is configurable (in the "sudoers" file) whether the user needs to authenticate by providing his/her password. The default is to require this, but it sometimes makes sense to turn it off; e.g. for certain commands. – Stephen C – 2011-02-08T16:36:34.857
1
Unfortunately, UAC does not work this way. http://technet.microsoft.com/en-us/library/cc709628%28WS.10%29.aspx
– surfasb – 2011-12-01T09:13:04.987@surfasb, that's a good article and I learned a bit from it. – LawrenceC – 2011-12-01T12:02:57.893
3
Kind of. Normally, Linux's sudo allows you to take on administrator privileges for a period of time. As does Windows's UAC. But, sudo can also be used to do an action as another user, provided you have super user privledges.
Wuffers
Posted 2011-02-08T03:40:20.653
Reputation: 16 645
3Sudo allows you to do an action as ANY user provided you know your OWN password and provided you have the appropriate sudo permissions – David Harris – 2011-02-08T04:02:45.357
1He probably just got confused with su – atx – 2011-02-08T04:27:17.813
@DavidHarris: Fixed my answer, thanks for the correction. – Wuffers – 2011-02-08T13:20:47.570
You don't necessarily need super user permissions... – Katerberg – 2011-02-08T16:42:11.993
1
Here is a MS site on UAC (Vista and 7 operate the same) - click here. The real important bit is this desciption of how the access tokens are handled for administrator and standard users:
"When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. By default, when a member of the local Administrators group logs on, the administrative Windows privileges are disabled and elevated user rights are removed, resulting in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all applications run as a standard user by default unless a user provides consent or credentials to approve an application to use a full administrative access token. Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to launch the desktop."
It is possible to configure UAC in various ways. For a standard user the UAC prompt will ask for the login of an account with Admin rights, for a administrator user the UAC can either just ask for approval of the action or be configured to also require a login (the later deemed less secure by MS).
edusysadmin
Posted 2011-02-08T03:40:20.653
Reputation: 2 158
1unless you want to get into the nitty-gritty about user roles in the two OSs, I don't think you're going to get a good list of differences between the two. – Patrick – 2011-02-08T05:34:32.330