ros security and registry

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

Post Reply
ThePhysicist
Developer
Posts: 508
Joined: Mon Apr 25, 2005 12:46 pm

ros security and registry

Post by ThePhysicist » Fri Apr 29, 2005 12:41 am

I have thought about some problems concerning the windows security and registry, wich should be made better in reactos and possible solutions:

1.) Administrator rights
Problem:
Many apps (cd burning etc.) need administor rights to work properly. This makes many people to always work with administrator rights. This is a security problem.

Possible solution:
Make most apps (like cd burning, installation) work for the main user without admin rights. Let the admin (maybe first time at installation) easily configure basic rights for the user (e.g. allow installation, allow installation of autostart progs, etc.) Allow temporary registry write (wich is deleted after logout) to make some installations work, if they require admin rights where they should not have. This may help a lot of apps work.

2.) Autostart installation
Problem:
Sometimes programs (unwanted programs) install themselves into autostart. Most users don't even recognize it. (I've seen progs, wich when you terminate the process, it's there again in seconds, deleting it from the registry, makes it put itself back there, deleting the .exe makes itself restore the files. I've even set writing rights to reject in the registry but it didn't help, rejecting execution rights in the folder solved the problem)

Possible solution:
Let the administrator choose, if a user can install autostart programs or not or only temporary or always ask the user, if it's allowed. This could prevent spyware to be installed on the computer.

3.) Size and structure of the registry
Problem:
The registry is so big, it is sometimes almost impossible to find the needed keys. And it gets bigger and bigger with every installation you do. Old and obsolete keys make the system slower and slower.

Possible solution:
Divide the registry into smaller pieces, they might be put in these folders:

HKEY_CURRENT_USER/SOFTWARE/xyz -> \Documents and settings\application data\xyz\reg.dat
HKEY_LOCAL_MACHINE/SOFTWARE/xyz -> \Programs\xyz\reg.dat (installation folder)

Now trace what programs put wich files where. This could be saved in \programs\software.dat. After uninstalling ask for "complete" (this removes the folder with all the global reg entries and the user settings) or "custom" (here you can select if to remove the program folder/remove user settings/remove global settings). If you just delete a program folder, the reg-keys of the software will disappear. At startup the system could check for missing reg-files and delete them from \programs\software.dat.
After a clean installation all software reg entries will be there again: no need to reinstall for most apps!

4.) Registry accessability:
Problem:
It is not easy to backup the needed settings or just copy them, if you want to make a new, clean installation (wich is sometimes needed to get back your default system speed). Even an administrator cannot easily copy the needed files, as they are in use. (Since Win XP there is an export function, but I think linux is better here, where you can just copy the needed stuff)

Possible solution:
Grant full access to the files for the administrator, so backup is no problem. Just copy the needed files / folders into another directory, make a clean install, and copy them back. Maybe creating / deleting users should be able by copying / deleting the \Documents and Settings\user_xyz folder. And reinstalling the system should automatically create the users, wich are already present in the \documents folder. This would make migration from windows systems a lot easier.
This can of course damage these reg files, but there should be a check, whether the new reg-files are probably ok, or not and the administrator should be asked, if it should really be done! and there should be a backup wich can be restored at system startup.

5.) Software installed dlls
Problem:
Many Programs install their dlls into the system32 folder. This has 2 problems: It sometimes leaves obsolet dlls there. And it prevents programs from working after a new system installation.

Possible solution:
ask if software installed dlls should be placed into the installation folder. There may be a list, wich dlls can be found where. This could be in programs\software.dat. So after removing these installation folders the system would ask if the dlls should be deleted or put into the system32 folder.

These are my suggestions. There maybe better ways, so I hope for some feedback.

Greetings,
Timo

MadRat
Posts: 243
Joined: Fri Feb 04, 2005 8:29 am
Contact:

Post by MadRat » Fri Apr 29, 2005 7:41 am

MS has long since split the registry up into multiple files.
*************************************
Go Huskers!

Jaix
Moderator Team
Posts: 838
Joined: Sat Nov 27, 2004 3:40 pm
Location: Sweden, Växjö

Nice ideas...

Post by Jaix » Fri Apr 29, 2005 6:03 pm

Yes, I think these ideas are good, I agree.

Duck
Posts: 24
Joined: Mon Jan 03, 2005 4:44 am

About applications which need administrator rights

Post by Duck » Fri Apr 29, 2005 8:55 pm

In the default non admin account the user should be able to make those apps that need admin rights to work with administrator rights.

The user would simply (in his limited account)have to choose:
Right click
Run as
Administrator (prompts password and secondary password or something like that)
pretty mutch like xp but after the second admin level password the user would be able to make that app behavior permanent.

This feature should be used also to install programs, or to do those annoying things which you need to do in administrator accouns.

Of course the password policy would/should have to be very hard for this to work. but i think its better to remember two paswords than aving to log in and out of user accounts to manage minor administrator tasks.

oiaohm
Posts: 1322
Joined: Sun Dec 12, 2004 8:40 am

Physicus good but I have point from Linux

Post by oiaohm » Sat Apr 30, 2005 3:21 am

4.) Registry accessability:
Problem:
It is not easy to backup the needed settings or just copy them, if you want to make a new, clean installation (wich is sometimes needed to get back your default system speed). Even an administrator cannot easily copy the needed files, as they are in use. (Since Win XP there is an export function, but I think linux is better here, where you can just copy the needed stuff)
Harded Linux systems Can require a boot disk to carry out the backup or the etc directory due to major limited access. Each program can only access its own config file. And the etc directory is off limits.

This is not a verry big problem. It can be worked around. Harded systems are ment to make crackers life hell.

Everything else is great.

LOst
Posts: 27
Joined: Sat Feb 12, 2005 9:33 pm

Post by LOst » Sat Apr 30, 2005 6:03 am

I guess all of these things have been thought about, even from Microsoft's side... But for some reason, they haven't been applied.

One thing that irritates me the most is the auto-selection when you use the mouse in Windows 98 or later versions to select text, it auto selects words and sometimes over the dot and the space after the dor when you only want one word. That's the most annoying thing in Windows.
The second most annoying part of Windows is the autostart function as you said, programs keep put themselves up in the registery uncontrolled. One way to stop this would be to put up a warning dialog like the Windows XP SP2 security connection blocker, to block programs that you don't want to access parts of the registery or the Run/RunOnce keys.

Seriously, non of these problems are in ReactOS, so this is more a way to say Microsoft pisses me off for not fixing such security holes and annoying features.

I count all programs that access the global registery and changes it for its own purpose without user input as virus.

The same goes for programs accessing the network, or Internet without user input.

All these problems must be fixed in any Windows versions, including ReactOS.

w3seek
Developer
Posts: 144
Joined: Tue Nov 23, 2004 12:12 am

Post by w3seek » Mon May 02, 2005 2:04 am

LOst wrote:I count all programs that access the global registery and changes it for its own purpose without user input as virus.
The global registry (i assume you mean HKEY_LOCAL_MACHINE) is read-only for standard users, only the administrator account can write to it...
Maybe it'd help if people who don't know what they do stopped abusing their administrator account...

MadRat
Posts: 243
Joined: Fri Feb 04, 2005 8:29 am
Contact:

Post by MadRat » Mon May 02, 2005 2:43 am

Thats not altogether, true. w3seek. Commercial software regularly requires user write access to the HKLM\SOFTWARE group. The users shouldn't need the access if developers actually wrote code that was compliant to XP's design, but unfortunately its not always happening. I'd say its closer to the normal for Win32 programs to require write access to that section of the registry so that users can set options in their programs. Sad, but true.
*************************************
Go Huskers!

LOst
Posts: 27
Joined: Sat Feb 12, 2005 9:33 pm

Post by LOst » Mon May 02, 2005 5:45 am

w3seek wrote:
LOst wrote:I count all programs that access the global registery and changes it for its own purpose without user input as virus.
The global registry (i assume you mean HKEY_LOCAL_MACHINE) is read-only for standard users, only the administrator account can write to it...
Maybe it'd help if people who don't know what they do stopped abusing their administrator account...
I'm mostly talking about:
HKEY_LACAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

when I said Global registry I meant places that Windows usues for settings such as:
HKEY_LACAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Duck
Posts: 24
Joined: Mon Jan 03, 2005 4:44 am

regprot

Post by Duck » Mon May 02, 2005 10:02 am

Have you guys ever heared of an app called regprot?

It warns me every time a program wants to write into the registry with a mesage box. I can either alow it to or bock the program

chris319
Posts: 55
Joined: Tue Feb 08, 2005 9:43 pm

Post by chris319 » Mon May 02, 2005 11:59 pm

Devil's advocate question: Will any of these proposed modifications break third-party registry programs such as cleaners and editors, and if so, do we care? If you're aiming for true Windows compatability this question has to be asked.

I've always thought it absolutely ludicrous that any old application can do just about anything it wants to the registry. The registry controls the system! If I were in charge there would be a separate system registry which COULD NOT BE TOUCHED by third-party applications. The only software which could modify this special system registry would be Windows Update, service packs, and such things as driver and network configuration wizards, etc. There would then be a separate registry for applications which, if thrashed by an app, would still leave you with a stable core machine.

w3seek
Developer
Posts: 144
Joined: Tue Nov 23, 2004 12:12 am

Post by w3seek » Tue May 03, 2005 10:26 am

LOst wrote:I'm mostly talking about:
HKEY_LACAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

when I said Global registry I meant places that Windows usues for settings such as:
HKEY_LACAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
These places are read-only for standard users.... They can only screw their own registry (HKEY_CURRENT_USER)

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], DotBot [Crawler] and 3 guests