RE: Design principles and ethics

[Christopher Nelson]

> On Sun, Apr 30, 2006 at 06:59:22PM -0400, Jonathan S. Shapiro wrote:
> > > > So there is no /sbin/passwd, and it was not considered in the 
> > > > question, which about the program accessing a central password 
> > > > database (which I agree we should avoid if we can, but 
> that is not the point).
> > > 
> > > A program that can access a central password database in 
> write-mode 
> > > is _not_ confined.  It can be run as a system service that is 
> > > accessed through a capability, just like any other system 
> service, if desired.
> > 
> > This is not correct. By executing the program the user is 
> authorizing 
> > the program to access the password database. The requirement for 
> > confinement is that they be able to check in advance 
> whether such an 
> > authorization is given.
> 
> In the case of trivial confinement, the child implicitly 
> agrees for the parent to debug it, because it allows to be 
> started by it.  Let me put it
> differently: The child's opinion about this is irrelevant, 
> because the child isn't a party in the operation of starting 
> a confined process.  The parties which are involved are the 
> parent, which is the process starting the child, and the 
> instantiator, which is the process requesting the startup.

If the child doesn't *want* to be started by any given parent, that's
just tough luck?  What you are saying, then, is that *any* program can
be run by *any* other program, and the program which is spawned has no
control over anything?

>If it doesn't, it must refuse to run at all.

How does the child have any guarantees about anything?  In other words,
how can it refuse to run?

-={C}=-