bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Server overriding; chroot


From: Pierre THIERRY
Subject: Re: Server overriding; chroot
Date: Fri, 28 Mar 2008 00:49:15 +0100
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

Scribit address@hidden dies 27/03/2008 hora 02:28:
> > The problem here is that authority is given instead of demonstrated.
> > No translator should receive a port from a priviledged server like
> > the parent FS server.
> Sorry, that's too abstract for me...

This is a classical example of confused deputy. The client says to the
deputy (here the deputy is the parent FS) "Hey, I want to access foo and
frob it!", but cannot in any way access foo itself. Then the deputy
accesses foo, which it can, and frobs it.

If the client had to give the deputy a handle and should say "Hey, I
want you to frob that thing!" and the deputy would use the handle
instead of opening some resource with its own rights, then the client
couldn't do more with the deputy than alone. The client would need
proper rights to open the resource itself and create the handle.

> note that at one point Shapiro actually wanted to drop persistence
> from Coyotos...

And realized it would actually make things harder. Persistence is a key
solution to the secure boot problem: how do you make sure that at each
reboot, your system ends up in a secure state? That's awfully complex.
With a persistent system, you only have to

  - Start in some initial secure state,
  - ensure that each transition of the system from a secure state gives
    another secure state.

> In
> http://lists.gnu.org/archive/html/gnu-system-discuss/2007-09/msg00129.html
> , Marcus proposes a new method for implementing passive translators,
> with the goal of addressing the chroot problem.

That's a very interesting solution! And it may even not be that hard to
implement...

> While personally I believe that the approach he describes doesn't
> really fundamentally change what passive translators are and what they
> can do

Well, now translators can only be started with as much authority as
their creator's. That's a huge difference, I'd say. It should be
analysed further, but at first read, it seems worth a try.

Quickly,
Pierre
-- 
address@hidden
OpenPGP 0xD9D50D8A

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]