File Browser Privilege Escalation Done Right

Even though there is a bug report on this for Nautilus, I didn’t include proper implementation of privilege escalation as one of The Top 5 Gnome/Ubuntu Usability Bugs I’d Love to See Fixed (well, it would then be six instead of five, anyway)—mainly because it’s not unique to Gnome.

I haven’t seen proper file browser privilege escalation implemented in Gnome, KDE, or Xfce. I haven’t seen it done well in Windows XP or Mac OS X, either.

Right now in Windows XP, if you’re not the administrator (and, for safety’s sake, you really shouldn’t be logged in as the administrator), there’s no easy way to temporarily become the administrator to edit a file or two. You can’t right-click the file and Open as… a different user. You can’t right-click Explorer and Run as… a different user. Basically, unless there’s something I don’t know about (Windows fans, please pipe up! I have to use Windows at work, and it’d be great to know if a solution exists), you have to log out of the current user, log in as the administrative user, make the change, and log back in again as the original user.

Same deal for Mac OS X. You can’t just open Finder as an administrator. In fact, because Mac OS X has a better security implementation (it uses sudo, same as Ubuntu) than XP’s, even an administrator can’t modify system files through Finder. You have to enable the root account and use its Finder, or make changes through the terminal.

Desktop Linux has one up on Windows and Mac in this regard, but it’s still not completely smooth. If you know you’re going to modify a system file, you can launch your file browser window with root (or administrator) privileges even within a regular account. If you have Konqueror plugins, Nautilus scripts, or Thunar custom actions, you can right-click on a system file and edit it as root.

To be fully smooth, file browsers should have drag-and-drop authentication.

In other words, a Ubuntu user, for example, who happens to be in the admin group (meaning that she can sudo to temporarily gain root privileges for a particular task) can drag a file to a system folder and instead of getting the old Access denied: You do not own that folder warning, she gets an authentication dialogue:

  • Modify system folder (you will be prompted for a password)
  • Do not modify the system folder

Likewise, when someone who is in the admin group opens a system file and tries to save it, instead of getting Unable to save: you are not the owner of the file, he’ll get an authentication dialogue to make changes to the system file.

That’s how it should go. It’s smooth. It makes up for you forgetting to open the file with root privileges. It allows you to back out if you don’t want to modify the system file. And it wouldn’t appear for users who aren’t sudoers—they would get the Access denied error message.

More importantly, it wouldn’t frustrate the hell out of new users who then “yell” on the forums “What does it mean I’m not the owner of the file? I’m the only person using this computer! I own every file on the system!!! Why can’t I be root?” Or, worse yet, when told she’s not the owner of the system files, the new user might attempt to change ownership of the system files, thus rendering her installation non-functional.

9 comments

  1. In Arch Linux, you can right click on any folder that are owned by root (or any other users than youself) and choose “Open as administrator” to open it as root, as seen here on this screenshot of my desktop:

    http://img354.imageshack.us/img354/3583/screenshot2zl7.png

    I find this feature very neat. It also eliminate any need to run Nautilus as root (which is at best redundant, in my opinion).

    I’m not sure why Arch Linux has this feature and Ubuntu doesn’t (Arch was using GNOME version 2.18.3, for that matter). Anyway, love to see Ubuntu guys integrate this feature in the next version.

  2. You can do that in Ubuntu as well with Nautilus scripts. There is also a Konqueror plugin that allows you to do this in Konqueror. And you can create a custom action in Thunar to do it in Thunar.

    That’s great, but I mentioned that before, and that’s not what I’m hoping will be implemented.

    I’m hoping that you can double-click instead of right-click, and if it’s a system file, you can get an authentication dialogue if you try to save.

  3. “Same deal for Mac OS X. You can’t just open Finder as an administrator. In fact, because Mac OS X has a better security implementation (it uses sudo, same as Ubuntu) than XP’s, even an administrator can’t modify system files through Finder. You have to enable the root account and use its Finder, or make changes through the terminal.”

    I’m away from my Mac at the moment, but I’m very nearly positive this isn’t true. When logged in as an administrator, you can indeed alter system files, as long as you can provide the correct password- essentially a GUI sudo. Which is, unless I’m mistaken, what you’re getting at.

    But, I agree, that should be what happens on every OS.

  4. Great article, as usual. I would love to see this streamlined. However, would this create security risks? Maybe. Maybe not. Having the ability via sudo in the terminal, means that you could potentially have the ability in the GUI as well. I would just be concerned about implementation.

  5. You asked about how this could be done in xp, here’s one solution. Search for cmd.exe, rt-click it and choose run-as, and enter an admin acct and pw. Now you’ve got a CLI as the admin. Now cd to your exe to open it as the admin, and edit your file. When finished, close app and exit cmd shell, and you’re back as regular user.

    Thanks for all the good ubuntu info.

  6. Continuing on jon’s post above, you could also right-click on the icon for the program you need to open the file (Word for documents, Acrobat for PDFs, etc.) then pick “Run as..” and run the program as the administrator account, then open the file within that program. Clunky? As hell. But better than logging out and back in. It’s idiotic that there’s a “run as…” dialog for programs, but no “open as…” dialog for documents, but that about sums up running as a non-administrator in XP.

    God bless you for keeping on with the LUA account in XP. I know better, and I still log in as administrator on my XP box at home because crap like that was just too much of a pain.

  7. Good topic, especially for those who aren’t very adept at CLI changing permissions is tough stuff. I like the idea of a
    * Modify system folder (you will be prompted for a password)
    * Do not modify the system folder
    popup. However the most striking thing about this post was “he’ll get an authentication dialogue to make changes to the system file”. Forget an s? Or was this intentional?…

  8. Well, Mac is kind of inconsistent about this. I just tried it out on my wife’s Powerbook.

    If I open up a system file and try to save my edits, I’m told that I need to change permissions on the file in order to edit it (not ideal, especially since changing permissions on system files can break your system).

    I am, however, without authentication, allowed to delete system files (send them to the trash).

    Funny thing, though: I always remembered Mac having a “restore from trash” function. But I just checked, and it doesn’t. Guess Gnome isn’t alone in this respect, after all.

    Thanks for the Windows hints. So basically there are weird terminal workarounds or going through the backend (open the program, not the file directly), but there are ways other than logging in as administrator.

    Oh, and I didn’t forget the s. I just didn’t want it to get too confusing with the same pronoun for two distinct hypothetical people.

  9. I personally like the way its done. It should though be integrated with nautilus to make it 10x easier to use. I also strongly think that there should be an Ubuntu Manual on the Desktop of every Ubuntu installation.
    IMHO, new users REALLY need it.

Leave a Reply to Aaron Cancel reply

Your email address will not be published. Required fields are marked *