Re: Changing from L4 to something else...

[Neal H. Walfield]

At Sun, 30 Oct 2005 18:58:54 +0100,
Bas Wijnen wrote:
> On Sat, Oct 29, 2005 at 04:10:19AM +0200, Yoshinori K. Okuji wrote:
> > On Friday 28 October 2005 07:10 pm, Jonathan Shapiro wrote:
> > > It is a curious thing that people simultaneously want safety from the 
> > > admin
> > > and help from them. Sometimes you have to pick one or the other.
> > 
> > You are right. Fortunately or unfortunately, this is the truth. So I 
> > repeatedly claim that balancing is the key point in making decisions.
> 
> Still, telling people "I am the owner of this computer, you can use it, and I
> am not technically able to spy on you or change your things, except if you
> give me your password" should be understandable for "normal" people.  When
> they know this, they will also know that asking the the owner to change their
> data without remembering their password will result in a negative response.
> They may not like that, but I think they consider it a good idea to be
> protected from the sysadmin.  And if they don't, nothing stops them from
> installing a back door for him.  That is, this can be realised on a per-user
> basis.  That sounds like a good idea to me. :-)

I don't buy this argument.  It seems pretty easy to me to implement
su.  You just need the help of the session manager: if a task holds
the super user capability, it can retrieve a capability to any user's
session.

Or am I missing something?

Thanks,
Neal