1998-12-28-17:13:11 Paul D. Robertson:
> A single-cgi Web server seems of little use to me in the grand scheme of
> things.
How about "single set of data all of comparable value managed by a common set
of code" server? May be multiple cgis, if that's the simplest and clearest way
to implement the desired access --- probably will.
> > > [...] the administrator's access is, everything scales down from there.
>[...]
> >
> > Now this comment I purely don't understand. The administrator's access is of
> > very little value, and what value it gets is only a reflection of the
> > administrator's role in helping to maintain access to the application data.
> > _Privilege_ cascades as you describe, but not the value of the data.
>
> With the administrator-level access, you can modify anything on
> an untrusted OS. Therefore, the data that is administrative access is
> the most valuable.
Like I said, you're conflating "value" with "privilege". Sure, the admin's
privs are the most potent, everything scales down from there. But on a
well-partitioned set of systems, the data that is managed by the CGIs should
be the most valuable data in sight; you don't want anything more valuable left
where it is subject to compromise if there's a bug in the CGIs. Limit the
damage as much as you can, whether by spreading the problem over a suitable
number of servers or by packing it all into one and then hoping a trusted OS
does as good a job of partitioning. But once you've partitioned your problem
you _still_ have to audit those CGIs; protecting the data that the CGIs must
access from defects in those CGIs is not a job that a trusted OS will help
with, and it's the only hard part of the problem.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
