[cap-talk] 'IX/Windows API problem for POLA? Polaris
Jed at Webstart
donnelley1 at webstart.com
Thu Nov 17 20:24:35 EST 2005
At 02:19 PM 11/17/2005, Karp, Alan H wrote:
> > I hope my comments about Plash clarified what I meant when I
> > suggested that mechanisms like Plash and Polaris "fight" the native
> > access control mechanisms. Specifically they are not integrated into
> > the UID owner,group,other and rwxs sorts of access control. They are
> > separated from it, thankfully. The native access controls are
> > ambient authority and the Polaris/Plash access controls are fine
> > grained and suitable for "less authority." They are also not
> > permanent in surviving across system restarts (I know for Plash - I'm
> > not so sure for Polaris).
>Polaris works by launching the application in a restricted user account
>then adding the authorities to the file the user has designated. It
>makes full use of "UID owner,group,other and rwxs sorts of access
>control." That means the application is still working with ambient
>authorities and is still subject to confused deputy. It's just that the
>set of authorities is so small that the ambient set is close to what you
>want anyway, and there's little to be confused about.
I see. Thanks for the clarification. I'm surprised I didn't get at
least that out of the Polaris reading I did, though perhaps I did and
>Polaris is very definitely NOT a capability system.
Right. From my perspective that is because there is no communicable
unit of permission - e.g. as there is with Plash where Unix open file
descriptors are used to communicate permissions.
> > Let me ask you Alan what I asked about Plash. Do you see any path
> > toward the kind of growth needed for relevancy for Polaris? Given
> > it's state as an HP product (I assume) it seems to me even more
> > difficult for it to transition to a relevant growth curve.
> > How do you see it?
>We are in the business development process now. Actually, we're in it
>again. I had built up a set of contacts interested in pursuing
>productizing Polaris. They all took the latest early retirement
>package. I've had to start over, but I'm beginning to make progress.
>If I succeed, there's a chance there will be a polarized browser on
>every consumer PC HP ships and that many of our enterprise machines
>would have that and more apps polarized. That should meet your
>definition of a "relevant growth curve."
Hmmm. It isn't the sort of relevant growth curve that I'm familiar
with in terms of a ground swell of interest/use. I guess it would
depend on what happened once it was out there on all those
systems. If people used it and began to clamor for such a facility
on all their systems, then that would definitely be 'relevant
growth.' Unfortunately only 'polarizing' a browser and possibly a
few apps would seem to make that somewhat difficult. As soon as the
next browser update comes out (still a pretty volatile area I would
say), they might end up leaving their polarized browser
behind. Naturally it would be vital to be able to support all the
plugins and such that people need in their browsers. Having a
browser safe from Trojan horses in the form of such plugins is of
course an important added value, but it would have to work for people
'in the field.'
One other concern I have about Polaris is that it's not open
source. There doesn't seem to be much to do about that.
>Unfortunately, although Polaris supports POLA, where L is "Less" not
>"Least", it isn't capabilities.
As with Toby, I'm quite willing to walk before I run. I just want to
see some paths to real sustainable progress in the POLA area - even
Less instead of Least.
Good luck with your efforts to get Polaris distributed Alan!
More information about the cap-talk