[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setuid vs. EROS constructor
|
From: |
Marcus Brinkmann |
|
Subject: |
Re: setuid vs. EROS constructor |
|
Date: |
Thu, 13 Oct 2005 15:34:05 +0200 |
|
User-agent: |
Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI) |
At Thu, 13 Oct 2005 14:42:26 +0200,
Bas Wijnen <address@hidden> wrote:
>
> I already concluded that, but we need them anyway. We want to be mostly
> POSIX-compliant, and that isn't possible without them.
This is true, but with a catch: We want to provide a POSIX personality.
This does not mean that we need user IDs at the lower levels of the
system. Rather, that user IDs can be provided in addition, on top, or
orthogonal to the actual system.
One thing that was always a goal of the Hurd project was to have
multiple personalities. But currently, this is not the case, and
there is no real foundation to do so. The Hurd servers are in some
aspects quite POSIXish. Not always conceptually. For example, the
Hurd authors got the signal handling mostly right. But the actual
details of implementation are tightly build around POSIX.
What Jonathan offers us here is a system which is at the low level
very secure and robust, and some perspective on how to build native
interfaces and application components within that system.
The POSIX personality can be added on top of that, or orthogonal if
you prefer.
I have given it not enough thought yet, but there are basically two
models you can think of. You can either have a user-local POSIX
"shell" which connects the POSIX emulation with the rest of the
system. Because this shell is user-local, it would be completely
owned by that user.
Or (but not exclusive-or), you can have a system-wide POSIX "box",
which connects the native system to the POSIX system inside, plus it
provides a way for users to connect to the POSIX system via a terminal
if they have the necessary capabilities (they could get them from the
system administrator, for example). Within that POSIX box, your "user
ID capability" would be worth whatever it is worth in the POSIX world,
but outside of the POSIX box it would be worthless and authenticate
you for nothing.
This are only rough ideas yet, but I hope it is clear how this would
work.
Thanks,
Marcus
- Re: setuid vs. EROS constructor, (continued)
- Re: setuid vs. EROS constructor, Jun Inoue, 2005/10/16
- Server granularity, Jonathan S. Shapiro, 2005/10/15
- Re: Server granularity, Marcus Brinkmann, 2005/10/16
- Re: Server granularity, Jonathan S. Shapiro, 2005/10/17
- Connectivity, Ludovic Courtès, 2005/10/17
- Re: Connectivity, Jonathan S. Shapiro, 2005/10/17
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/13
- Re: setuid vs. EROS constructor,
Marcus Brinkmann <=
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24