Re: Design principles and ethics

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Design principles and ethics

From:	Jonathan S. Shapiro
Subject:	Re: Design principles and ethics
Date:	Sun, 30 Apr 2006 15:02:48 -0400

On Sun, 2006-04-30 at 20:48 +0200, Tom Bachmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jonathan S. Shapiro wrote:
> > In the absence of setiud, and assuming that parents get to inspect their
> > children, how is /sbin/passwd protected?
> > 
> 
> Not at all. It only accesses data the user is allowed to access. I
> explained this in a former mail.

Apparently I did not see it. Here is the essential question:

/sbin/passwd requires the authority to write the password database,
which the user does not have. So: we must answer (1) how
does /sbin/passwd come to hold this authority when the user does not?
(2) Given that the running instance of /sbin/passwd is a child of a
program owned by the user, what stops the parent program from reading
that authority out of the /sbin/passwd running image?

I do remember a proposal that we should trust the user's top-level
shell. I do not know if it was your proposal, but this is not sufficient
unless we somehow guarantee that *only* the top-level shell has the
authority to start a copy of /sbin/passwd...

shap

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Design principles and ethics (was Re: Execute without read (was [...])), (continued)

Prev by Date: Re: The gun analogy (Was: Design Principles)
Next by Date: Re: Design principles and ethics
Previous by thread: Re: Design principles and ethics
Next by thread: Re: Design principles and ethics
Index(es):
- Date
- Thread