> under the rights of "audio/video/mouse/itneraction with user",
> "network i/o to such and such an address (list)", etc for
> conveneicnce and expressiveness in the ACL system (other management
> tools like user, other, groups etc help scale the task) and then i
> can design a set of sensible securioty policies for a site,
I think we should "turn around the view" (maybe you were saying this
in another way).
That is, instead of ACL type protection, where a resource is
associated with a list of allowed users and uses, we should have a
list of allowed resources and uses attaced to each program
(exectutable or active object).
And by default, a program could not access any resources at all.
In case of mail attachment containing an executable, we could quite
safely try to run it, and the system would just inform that it tries
to open this or that file (do you want to allow it?), trying to
open TCP connection to port 25 (do you want to allow it?), or tries to
execute another program (do you want to allow it?).
To make such thing work, program installation packages would need to
be accompanied with a "resource usage list", which could be checked by
the user, and if acceptable, and then associated with the program.
I don't see it causing much overhead. For example, linux program
loader could be changed to load the usage list, and on open file, it
is not a big issue in scanning this list whether the access is allowed
or not. Most programs really need access to few files and resources
anyway (and naturally, there would be ways to give access to wide
range of resources, if needed -- the old group/owner uids would be
still available for that purpose)
--
Markku Savela ([EMAIL PROTECTED]), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
