On Wed, 2005-10-26 at 15:35 +0200, Alfred M. Szmidt wrote: > If the sub-hurd is going to be the basic mechanism of security, > then EVERY new execution of every application should be > performed in a freshly instantiated sub-hurd. > > You are assuming that each and every application is hostile, that > isn't the case. If you have something that can be considered hostile > (say, something that needs root privs), you can run it in a seperate > enviroment. Enclosing each and every process into its own jail-like > enviroment is beyond absurd.
Yes, I am definitely assuming this, because in my experience this is actually true. Let's look at the three most common applications that real users use: Web browsers Email readers Word processors Document browsers (e.g. acrobat, xpdf, ghostview) Each of these runs code written by a very large number of untrusted developers, and each downloads "plugins" (or equivalently: can spawn local commands at the direction of documents) that I know nothing about. The plugin code very often *is* hostile, and the programs that run them very often contain security bugs. So I would say that for the vast majority of program executions that I do in a given day, yes, I would need a subhurd for every single one. On the server side, things are even worse -- for those I need a new sub-hurd for every page request that involves any sort of active content. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
