On Wed, Oct 26, 2005 at 04:13:43PM +0200, Alfred M. Szmidt wrote: > Web browsers > Email readers > Word processors > Document browsers (e.g. acrobat, xpdf, ghostview) > > All those run in a jail of sorts: the current user.
This is UID based access control. It works, but it violates the principle of least authority very much, and is therefore immensely insecure. True, they cannot mess up the operating system, but only the home dir of the user. But what's more important, a system which can be reinstalled, or data which only has a two-week-old backup (if you're lucky)? > What would be nifty is a way to allow a user to make sub-users, where he can > encapsulate a program and only give write/read access to a specific > directory. Which is possible to do with any extensive rewrites I think. That would be what a capability system is all about. You only give the rights away that the process actually needs, not your full user rights. I'm glad you like it. :-) > Each of these runs code written by a very large number of untrusted > developers, and each downloads "plugins" (or equivalently: can spawn > local commands at the direction of documents) that I know nothing about. > [...] > The plugin code very often *is* hostile, and the programs that run > them very often contain security bugs. > > Same thing can be said about kernels. Kernels (and the rest of the TCB) are indeed very critical. They must be correct, or you're in big trouble from a security point of view. Luckily it isn't too much code (with a microkernel design), and it may even be possible to formally verify correctness on it. > On the server side, things are even worse -- for those I need a new > sub-hurd for every page request that involves any sort of active > content. > > Such paranoia isn't useful for a multi user system, or a single user > system. All it is is a academic excersise in `intellectual > mastrubation'. You may think so. But what if it's possible? It would be great to work on such a system, wouldn't it? Imagine the feeling that the worst thing a hostile program can do is to not do its job. Compare that to the current situation on GNU/Linux, where it can ruin all your personal files. I think this is something which is worth a lot of effort. Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://129.125.47.90/e-mail.html
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
