On Mon, 3 Feb 2003, Joe Poole wrote: > On Saturday 01 February 2003 11:41, Phil Payne wrote: > > Linux looks like following down the same road. The question that > occurs to me is - is free access to the source of an operating > system actually a prerequisite for this? > > I think so, Phil. Primarily due to the fact that you can't run > anything on my MVS system that I didn't help you run. Because source > has to be compiled into a library prior to execution is a hugh > security boost, as is RACF and the corresponding HFS permissions of > the *nix world.
I don't have Phil's contribution to hand - archived by my main email client - so this may be a little out of context. In some sense, if I submit data to your online (banking, library, ecommerc - whatever) application, I am writing programs for your computer to run with sufficient authorisation to change your data. Think on it; your application inspects my data, makes decisions on that data, and alters your data. Much like a CPU executing its instruction stream, or a JAVA VM interpreting byte-code. That is what happens when someone distributes a virus by email. If I find a way to 'write a program" by submitting data that causes your application to malfunction, by damaging your data, then you have a problem. No RACF will help you. Nor will *x permissions. Your responsibility to your clients is to ensure it cannt happen. The evidence so far is that hiding your application source code is of limited help, though I'm sure if you don't widely distribute binaries either then you are fairly safe. However, the reality is that many/most significant applications today use widely-available software. -- Cheers John. Join the "Linux Support by Small Businesses" list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
