[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Changing from L4 to something else...
|
From: |
Jonathan S. Shapiro |
|
Subject: |
Re: Changing from L4 to something else... |
|
Date: |
Tue, 01 Nov 2005 10:51:34 -0500 |
On Tue, 2005-11-01 at 14:05 +0100, Bas Wijnen wrote:
> On Mon, Oct 31, 2005 at 10:19:47PM -0500, Jonathan S. Shapiro wrote:
> > On Mon, 2005-10-31 at 19:41 -0700, Christopher Nelson wrote:
> > > > 1) How does an administrator help a user fix a misbehaving session (i.e.
> > > > if a malicious program finds some way to take over a user's session by
> > > > doing something like take focus any time the user moves the mouse) if
> > > > they can't interact with the user's session?
>
> A normal application should not have the right to move windows. It may have
> the right to ask the window manager to do that. The window manager must be
> trusted by the user. The user should be able to tell the window manager
> "don't accept any requests from windows to be moved", and then it will do
> that.
No. The window manager should simply not accept move requests for
top-level windows. No user advisory should be required or possible. The
design policy here is that the user is in charge and the application is
not.
There are both security and usability reasons to prohibit
application-initiated move. The security issue is that if the app can
move the window it can hijack the keyboard. Try to think like an
attacker and ask yourself how you might exploit this feature.
The usability issue is that when applications spontaneously change their
interaction state, users become terribly confused.
> > > Same way you do it on a Windows system: reboot. ;-)
>
> > Doesn't work in a persistent system.
>
> There you go. I just asked for a problem with persistence in a previous
> e-mail, and now I've found it. :-) Next question: Is this a problem? I think
> not...
shap