[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Bas Wijnen
Subject: Re: POSIX
Date: Wed, 26 Oct 2005 16:29:05 +0200
User-agent: Mutt/1.5.11

On Wed, Oct 26, 2005 at 04:13:43PM +0200, Alfred M. Szmidt wrote:
>      Web browsers
>      Email readers
>      Word processors
>      Document browsers (e.g. acrobat, xpdf, ghostview)
> All those run in a jail of sorts: the current user.

This is UID based access control.  It works, but it violates the principle of
least authority very much, and is therefore immensely insecure.  True, they
cannot mess up the operating system, but only the home dir of the user.  But
what's more important, a system which can be reinstalled, or data which only
has a two-week-old backup (if you're lucky)?

> What would be nifty is a way to allow a user to make sub-users, where he can
> encapsulate a program and only give write/read access to a specific
> directory.  Which is possible to do with any extensive rewrites I think.

That would be what a capability system is all about.  You only give the rights
away that the process actually needs, not your full user rights.  I'm glad you
like it. :-)

>    Each of these runs code written by a very large number of untrusted
>    developers, and each downloads "plugins" (or equivalently: can spawn
>    local commands at the direction of documents) that I know nothing about.
> [...]
>    The plugin code very often *is* hostile, and the programs that run
>    them very often contain security bugs.
> Same thing can be said about kernels.

Kernels (and the rest of the TCB) are indeed very critical.  They must be
correct, or you're in big trouble from a security point of view.  Luckily it
isn't too much code (with a microkernel design), and it may even be possible
to formally verify correctness on it.

>    On the server side, things are even worse -- for those I need a new
>    sub-hurd for every page request that involves any sort of active
>    content.
> Such paranoia isn't useful for a multi user system, or a single user
> system.  All it is is a academic excersise in `intellectual
> mastrubation'.

You may think so.  But what if it's possible?  It would be great to work on
such a system, wouldn't it?  Imagine the feeling that the worst thing a
hostile program can do is to not do its job.  Compare that to the current
situation on GNU/Linux, where it can ruin all your personal files.

I think this is something which is worth a lot of effort.


I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]