On Sun, 2005-10-30 at 22:00 +0000, Neal H. Walfield wrote: > I don't think so. Why doesn't the system administrator control the > session manager? Why can't the system administrator decide which > session manager to install (e.g. the one with the method which given a > username and a particular capability returns the session capability of > the specificed user)?
Because the session manager is part of the trusted path, and the system administrator is not. It is actually very important that this particular component *not* be replaceable, since if it is replaced, *all* of the security guarantees of the system get thrown out the window. > I'd be interesting in understanding how one could build a system in > which system administrators can't install their own session managers. Very easily. The system administrator's options are limited by the initial system load. If this system load does not permit replacement of the session manager, that's the end of that. Yes, if the system administrator is prepared to boot a diskless CD and use something comparable to fsdb, they can do just about anything (assuming secure boot is not being used). But there is absolutely no intrinsic reason why the initial system load should give the sysadmin more authority than we have discussed. As an implementor of an operating system, you might choose to do so, but there is no reason that you *must* do so. > Moreover how do users verify that the system administrator doesn't > have this capability? (I think this is basically the secure booting > problem.) It is *exactly* the secure booting problem. However, even without secure boot, the user knows what OS is running, and this may provide a sufficiently high degree of confidence to decide that the risk is worth it. Neal: I would like to propose that you should pursue the question "how might this limit be achieved" and suspend disbelief temporarily on whether it is a good idea. Good or bad, the idea is currently an *alien* idea. Perhaps it makes sense to explore this alien idea on its own terms long enough to grasp it, and then step back to ask whether/how/where you wish to apply it. All of this discussion is a corollary to the "there shouldn't be a superuser" discussion. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
