[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changing from L4 to something else...

From: Jonathan S. Shapiro
Subject: Re: Changing from L4 to something else...
Date: Sun, 30 Oct 2005 18:09:45 -0500

On Sun, 2005-10-30 at 22:00 +0000, Neal H. Walfield wrote:

> I don't think so.  Why doesn't the system administrator control the
> session manager?  Why can't the system administrator decide which
> session manager to install (e.g. the one with the method which given a
> username and a particular capability returns the session capability of
> the specificed user)?

Because the session manager is part of the trusted path, and the system
administrator is not. It is actually very important that this particular
component *not* be replaceable, since if it is replaced, *all* of the
security guarantees of the system get thrown out the window.

> I'd be interesting in understanding how one could build a system in
> which system administrators can't install their own session managers.

Very easily. The system administrator's options are limited by the
initial system load. If this system load does not permit replacement of
the session manager, that's the end of that.

Yes, if the system administrator is prepared to boot a diskless CD and
use something comparable to fsdb, they can do just about anything
(assuming secure boot is not being used). But there is absolutely no
intrinsic reason why the initial system load should give the sysadmin
more authority than we have discussed.

As an implementor of an operating system, you might choose to do so, but
there is no reason that you *must* do so.

> Moreover how do users verify that the system administrator doesn't
> have this capability?  (I think this is basically the secure booting
> problem.)

It is *exactly* the secure booting problem. However, even without secure
boot, the user knows what OS is running, and this may provide a
sufficiently high degree of confidence to decide that the risk is worth

Neal: I would like to propose that you should pursue the question "how
might this limit be achieved" and suspend disbelief temporarily on
whether it is a good idea. Good or bad, the idea is currently an *alien*
idea. Perhaps it makes sense to explore this alien idea on its own terms
long enough to grasp it, and then step back to ask whether/how/where you
wish to apply it.

All of this discussion is a corollary to the "there shouldn't be a
superuser" discussion.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]