[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changing from L4 to something else...

From: Neal H. Walfield
Subject: Re: Changing from L4 to something else...
Date: Sun, 30 Oct 2005 22:00:31 +0000
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Sun, 30 Oct 2005 21:51:20 +0100,
Bas Wijnen wrote:
> > I don't buy this argument.  It seems pretty easy to me to implement
> > su.  You just need the help of the session manager: if a task holds
> > the super user capability, it can retrieve a capability to any user's
> > session.
> > 
> > Or am I missing something?
> I believe so.  When a session is started, it will generate a configuration
> object.  With a capability to that object, the session can be configured.  I
> assume you mean this capability with "a capability to a user's session".
> This capability is _not_ given to the system administrator by default.  The
> user can choose to give it, but if he does, it would be wise to use a
> revocable version of it.  So unless the user permits the system administrator
> to be super-user over him, the administrator cannot see what the user is
> doing.  He can of course revoke capabilities to storage, to processor time, to
> the terminal, and to anything else which may need to be forcefully claimed for
> some other user.
> Session details should be editable remotely when you autharize yourself (for
> example with an ssh key).  Because of this, su from anything except root is
> easily implemented (because authorization is performed).  But su from root
> (without a password) is only possible if the user allowed it, and it isn't if
> the user didn't allow it.

I don't think so.  Why doesn't the system administrator control the
session manager?  Why can't the system administrator decide which
session manager to install (e.g. the one with the method which given a
username and a particular capability returns the session capability of
the specificed user)?

I'd be interesting in understanding how one could build a system in
which system administrators can't install their own session managers.
Moreover how do users verify that the system administrator doesn't
have this capability?  (I think this is basically the secure booting


reply via email to

[Prev in Thread] Current Thread [Next in Thread]