Re: setuid vs. EROS constructor

[Bas Wijnen]

On Mon, Oct 24, 2005 at 03:01:25PM +0200, Michal Suchanek wrote:
> On 10/24/05, Bas Wijnen <address@hidden> wrote:
> > - Allocate some pages.
> > - Fill them with code.
> > - Ask the task server to make it a new process.
> 
> Here is the constructor:
> 
> /me points to the task server

The point is that the task server doesn't actually create the process.  The
kernel does that, and only the root server can request it to.  The root server
is just a proxy for requests from normal clients.  The task server is the only
normal client (normal in the sense that it isn't a specially priviledged task)
from which the root server will accept requests for process creation.  The
root server does not work with normal capabilities (at least in the current
design on L4 it doesn't), but simply with a thread ID.  Probably on L4.sec it
would use a capability, which could eliminate the need for a task server for
this (but probably doesn't, because it needs to do some accounting as well.)

So, there is only one task server.  There are many constructors (one for each
executable).  This makes them very different IMO.

> The fact that it is weak and doed not provide much guarantee does  not
> make the process creation more direct in my eyes.

When we would create constructors on L4, they would still need to call the
task server for the actual creation of a new address space.  So it is in fact
an extra indirection.

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature