Re: Supporting POSIX *users*

[Jonathan S. Shapiro]

On Thu, 2005-10-27 at 17:26 +0200, Alfred M. Szmidt wrote:
>    Okay. Please explain how to safely run a browser plugin when the
>    plugin can write to anything in the file system.
> 
> Why must it not write anything in the file-system?  I fail to see the
> point.

Because the plugin is untrusted, hostile code. Writing things to the
file system is how it installs viruses, trojan horses, and scrambles
your files.

Writing things down is okay. The problem is that the plugin has the
ability to write things down *anywhere*, and other programs then have
access to whatever the hostile plugin wrote down.

>   I'm using emacs for my daily work, it would be a pita if you
> confined emacs to only allow touch some file depending on the frame or
> buffer I'm using.

Emacs is not a plugin, but I would have to say that this aspect of emacs
*is* architecturally unsafe.

The practical solution is that you, as a user, should be able to grant
emacs access to your files. This amounts to making emacs a shell (which
is how many people use it). But it does not mean that your emacs should
be able to read or write *my* files.

>     Alfred: you are simply wrong. And you have been pointed at the
>    formal results that conclusively, mathematically *prove* that you
>    are wrong, you have ignored them, and you persist in making this
>    wrong assertion.
> 
> Sorry, but it is you who are wrong, you constantly refer to scientific
> `proofs' that have no realition to reality.  I really don't care about
> a 100% secure system, why? Because it isn't practical to implement.
> In theory it is all dandy, but in reality it is a pile of unusable
> crap.

Obviously we disagree about whether security is important, but you
mis-characterize what those results mean. Those results do not say that
security in current systems is imperfect. They say that security in
current systems is *nonexistent*.

shap