This article is missing information about the Mac "Authenticate" dialog.(September 2021) |
A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT (and its descendants), CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.
![]() |
User Account Control (UAC): Included with Windows Vista and later Microsoft Windows operating systems, UAC prompts the user for authorization when an application tries to perform an administrator task. [1] |
Runas: A command-line tool and context-menu verb introduced with Windows 2000 that allows running a program, control panel applet, or a MMC snap-in as a different user. [2] Runas makes use of the "Secondary Login" Windows service, also introduced with Windows 2000. [3] This service provides the capability to allow applications running as a separate user to interact with the logged-in user's desktop. This is necessary to support drag-and-drop, clipboard sharing, and other interactive login features. |
![]() |
macOS includes the Authenticate dialog, which prompts the user to input their password in order to perform administrator tasks. This is essentially a graphical front-end of
sudo command.
|
![]() |
PolicyKit/pkexec: A privilege authorization feature, designed to be independent of the desktop environment in use and already adopted by GNOME [4] In contrast to earlier systems, applications using PolicyKit never run with privileges above those of the current user. Instead, they indirectly make requests of the PolicyKit daemon, which is the only program that runs as root. |
![]() |
su: A command line tool for Unix. su (substitute user) allows users to switch the terminal to a different account by entering the username and password of that account. If no user name is given, the operating system's superuser account (known as "root") is used, thus providing a fast method to obtain a login shell with full privileges to the system. Issuing an exit command returns the user to their own account. |
![]() |
sudo: Created around 1980, [5] sudo is a highly configurable Unix command line tool similar to su, but it allows certain users to run programs with root privileges without spawning a root shell or requiring root's password. [6] |
![]() |
GKSu and GKsudo: GTK+ Graphical frontend to su and sudo. [7] GKsu comes up automatically when a supported application needs to perform an action requiring root privileges. A replacement, "gksu PolicyKit", which uses PolicyKit rather than su/sudo, is being developed as part of GNOME. [8] |
![]() |
kdesu: A Qt graphical front-end to the su command for KDE. [9] |
![]() |
kdesudo: A Qt graphical front-end to sudo that has replaced kdesu in Kubuntu, starting with Kubuntu 7.10. [10] |
![]() |
ktsuss: ktsuss stands for "keep the su simple, stupid", and is a graphical version of su. The idea of the project is to remain simple and bug free. |
![]() |
beesu: A graphical front-end to the su command that has replaced gksu in Red Hat based operating systems. It has been developed mainly for RHEL and Fedora. [11] |
doas: sudo replacement since OpenBSD 5.8 (October 2015) |
![]() | This section needs expansion with: Information for the Mac "Authenticate" dialog. You can help by
adding to it. (December 2009) |
A major security consideration is the ability of malicious applications to simulate keystrokes or mouse clicks, thus tricking or spoofing the security feature into granting malicious applications higher privileges.
Another security consideration is the ability of malicious software to spoof dialogs that look like legitimate security confirmation requests. If the user were to input credentials into a fake dialog, thinking the dialog was legitimate, the malicious software would then know the user's password. If the Secure Desktop or similar feature were disabled, the malicious software could use that password to gain higher privileges.
Another consideration that has gone into these implementations is usability.
![]() | This section needs expansion with: Information for the Mac "Authenticate" dialog. You can help by
adding to it. (December 2009) |
sudo -k
command when from each tty or pts in which sudo was used (in the case of pts's, closing the terminal emulator is not sufficient). The equivalent command for kdesu is kdesu -s
. There is no gksudo option to do the same; however, running sudo -k
not within a terminal instance (e.g. through the Alt + F2 "Run Application" dialogue box, unticking "Run in terminal") will have the desired effect.
![]() | This section needs expansion with: Information for the Mac "Authenticate" dialog. You can help by
adding to it. (December 2009) |
In order for an operating system to know when to prompt the user for authorization, an application or action needs to identify itself as requiring elevated privileges. While it is technically possible for the user to be prompted at the exact moment that an operation requiring such privileges is executed, it is often not ideal to ask for privileges partway through completing a task. If the user were unable to provide proper credentials, the work done before requiring administrator privileges would have to be undone because the task could not be seen through to the end.
In the case of user interfaces such as the Control Panel in Microsoft Windows, and the Preferences panels in Mac OS X, the exact privilege requirements are hard-coded into the system so that the user is presented with an authorization dialog at an appropriate time (for example, before displaying information that only administrators should see). Different operating systems offer distinct methods for applications to identify their security requirements:
/etc/sudoers
, which contains a list of users and the privileged applications and actions that those users are permitted to use. The grammar of the sudoers file is intended to be flexible enough to cover many different scenarios, such as placing restrictions on command-line parameters. For example, a user can be granted access to change anybody's password except for the root account, as follows:pete ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
Notepad.exe.manifest
. When an application is started, the manifest is looked at for information about what security requirements the application has. For example, this XML fragment will indicate that the application will require administrator access, but will not require unfettered access to other parts of the user desktop outside the application:<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
</requestedPrivileges>
</security>
This article is missing information about the Mac "Authenticate" dialog.(September 2021) |
A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT (and its descendants), CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.
![]() |
User Account Control (UAC): Included with Windows Vista and later Microsoft Windows operating systems, UAC prompts the user for authorization when an application tries to perform an administrator task. [1] |
Runas: A command-line tool and context-menu verb introduced with Windows 2000 that allows running a program, control panel applet, or a MMC snap-in as a different user. [2] Runas makes use of the "Secondary Login" Windows service, also introduced with Windows 2000. [3] This service provides the capability to allow applications running as a separate user to interact with the logged-in user's desktop. This is necessary to support drag-and-drop, clipboard sharing, and other interactive login features. |
![]() |
macOS includes the Authenticate dialog, which prompts the user to input their password in order to perform administrator tasks. This is essentially a graphical front-end of
sudo command.
|
![]() |
PolicyKit/pkexec: A privilege authorization feature, designed to be independent of the desktop environment in use and already adopted by GNOME [4] In contrast to earlier systems, applications using PolicyKit never run with privileges above those of the current user. Instead, they indirectly make requests of the PolicyKit daemon, which is the only program that runs as root. |
![]() |
su: A command line tool for Unix. su (substitute user) allows users to switch the terminal to a different account by entering the username and password of that account. If no user name is given, the operating system's superuser account (known as "root") is used, thus providing a fast method to obtain a login shell with full privileges to the system. Issuing an exit command returns the user to their own account. |
![]() |
sudo: Created around 1980, [5] sudo is a highly configurable Unix command line tool similar to su, but it allows certain users to run programs with root privileges without spawning a root shell or requiring root's password. [6] |
![]() |
GKSu and GKsudo: GTK+ Graphical frontend to su and sudo. [7] GKsu comes up automatically when a supported application needs to perform an action requiring root privileges. A replacement, "gksu PolicyKit", which uses PolicyKit rather than su/sudo, is being developed as part of GNOME. [8] |
![]() |
kdesu: A Qt graphical front-end to the su command for KDE. [9] |
![]() |
kdesudo: A Qt graphical front-end to sudo that has replaced kdesu in Kubuntu, starting with Kubuntu 7.10. [10] |
![]() |
ktsuss: ktsuss stands for "keep the su simple, stupid", and is a graphical version of su. The idea of the project is to remain simple and bug free. |
![]() |
beesu: A graphical front-end to the su command that has replaced gksu in Red Hat based operating systems. It has been developed mainly for RHEL and Fedora. [11] |
doas: sudo replacement since OpenBSD 5.8 (October 2015) |
![]() | This section needs expansion with: Information for the Mac "Authenticate" dialog. You can help by
adding to it. (December 2009) |
A major security consideration is the ability of malicious applications to simulate keystrokes or mouse clicks, thus tricking or spoofing the security feature into granting malicious applications higher privileges.
Another security consideration is the ability of malicious software to spoof dialogs that look like legitimate security confirmation requests. If the user were to input credentials into a fake dialog, thinking the dialog was legitimate, the malicious software would then know the user's password. If the Secure Desktop or similar feature were disabled, the malicious software could use that password to gain higher privileges.
Another consideration that has gone into these implementations is usability.
![]() | This section needs expansion with: Information for the Mac "Authenticate" dialog. You can help by
adding to it. (December 2009) |
sudo -k
command when from each tty or pts in which sudo was used (in the case of pts's, closing the terminal emulator is not sufficient). The equivalent command for kdesu is kdesu -s
. There is no gksudo option to do the same; however, running sudo -k
not within a terminal instance (e.g. through the Alt + F2 "Run Application" dialogue box, unticking "Run in terminal") will have the desired effect.
![]() | This section needs expansion with: Information for the Mac "Authenticate" dialog. You can help by
adding to it. (December 2009) |
In order for an operating system to know when to prompt the user for authorization, an application or action needs to identify itself as requiring elevated privileges. While it is technically possible for the user to be prompted at the exact moment that an operation requiring such privileges is executed, it is often not ideal to ask for privileges partway through completing a task. If the user were unable to provide proper credentials, the work done before requiring administrator privileges would have to be undone because the task could not be seen through to the end.
In the case of user interfaces such as the Control Panel in Microsoft Windows, and the Preferences panels in Mac OS X, the exact privilege requirements are hard-coded into the system so that the user is presented with an authorization dialog at an appropriate time (for example, before displaying information that only administrators should see). Different operating systems offer distinct methods for applications to identify their security requirements:
/etc/sudoers
, which contains a list of users and the privileged applications and actions that those users are permitted to use. The grammar of the sudoers file is intended to be flexible enough to cover many different scenarios, such as placing restrictions on command-line parameters. For example, a user can be granted access to change anybody's password except for the root account, as follows:pete ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
Notepad.exe.manifest
. When an application is started, the manifest is looked at for information about what security requirements the application has. For example, this XML fragment will indicate that the application will require administrator access, but will not require unfettered access to other parts of the user desktop outside the application:<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
</requestedPrivileges>
</security>