Steven J. Long wrote: > > It's a lot more secure to have a single well-defined privileged trust > > anchor (the privileged process) with a well-defined protocol, than to > > have built-in privilege escalation which allows arbitrary actions. > > You appear to have missed the point of what it does.
I haven't. > the whole point is to run arbitrary commands that affect the root system. I don't think that's the case. Are you sure that it is? With a trust root of our own it is very easy to decide what is allowed and I imagine that we want to. I'm sure you see the vast difference between built-in privilege escalation for a user process and having a separate, controlled, code path with privileges. You claim that they are the same, but unless the protocol supports transfering machine code for privileged execution that's plain wrong. Maybe you tend to support such arbitrary code execution, but I don't think that's what is being proposed here, and a lot of people have done just fine designing and implementing protocols without such problems in the past. And you have a very long way of saying that you don't care. :) //Peter
