UAC provides just-in-time elevation. The user belongs to the 'admin' group (aka wheel) and only receives an admin token when performing a task that requires elevation. Once the task is complete, the token is destroyed.
> Once the task is complete, the token is destroyed.
It's less granular than a task though, it's an execution context. If you're running Notepad++ and it wants to update, it requires an elevation. The installer is now running in an admin context and can do whatever it wants, once it's finished installing it usually asks if you want to launch Notepad++ again. At that point the installer running in the admin context can launch Notepad++ within that admin context.
Thus there's a potential for the admin context to persist indefinitely.
In my mind, tasked based elevation is more granular. Something like "I need to write to the program files directory" and not a carte blanche "gimmie admin access to do whatever the hell I want".
Sorry, I'm confused. I can't figure out from your explanation how the new adminless just-in-time elevation is supposed to be different from UAC's just-in-time elevation?
UAC is per-process and monotonic. Once elevated, the entire process stays elevated.
The new model is per-operation. Even if the same process has been allowed to elevate before, it must ask to do it again. I don't know how granular this is, and whether there's a grace period like sudo.
However, the biggest problem with UAC was that it was considered too noisy for the end user, leading to people just blindly accepting every dialog and Microsoft turning down the default level to the much less secure "don't always prompt". I don't know how this new model will address that problem; naively, it seems to be worse on this front.
Huh. In that case, the upthread commenter likening the new model to being more "linux-like" seems confusing.
Given that they didn't mention which Linux security model the new system was like, I presumed they meant the most commonly referenced model for performing administrative tasks: sudo/doas - which elevates a process for its entire runtime.
But if it's a per-operation model, I guess they might have been comparing it to the "desktop portal"/"policykit-dbus" model instead? Which does kind of fit, but I don't think is the security model that most people think of when someone says "linux-like just-in-time escalation"?
It's less granular than a task though, it's an execution context. If you're running Notepad++ and it wants to update, it requires an elevation. The installer is now running in an admin context and can do whatever it wants, once it's finished installing it usually asks if you want to launch Notepad++ again. At that point the installer running in the admin context can launch Notepad++ within that admin context.
Thus there's a potential for the admin context to persist indefinitely.
In my mind, tasked based elevation is more granular. Something like "I need to write to the program files directory" and not a carte blanche "gimmie admin access to do whatever the hell I want".