[cap-talk] Drop My Rights - a stab at caps by Microsoft?

[Jed Donnelley]

At 10:31 AM 10/17/2005, you wrote:
>http://online.securityfocus.com/infocus/1848
>
>  Meanwhile a simple yet little-known approach exists for users to avoid
>many of these vulnerabilities in any web browser...

I read the above.  I hardly consider it a "stab at capabilities by Microsoft".
It seems to be focusing on the very limited potential value of allowing
those logged in with administrator privileges (which of course one needs
to run installs and such on Windows) to "drop" such privileges to some
other ambient set (that I don't quite understand:

# N for Normal User
# C for constrained user
# U for untrusted user - however, most Internet applications will fail

- e.g. which "normal user", what exactly is a "constrained" or "untrusted"
user.) for a particular program execution (e.g. a browser).

In any case what is clear is that all of the above are still ambient 
authorities.
That is, there is no provision for granting specific authorities to programs
that need them, despite the fact that they say "It is important that 
administrators
follow the rule of least privilege."

It might be of some help if there were a mechanism available to make such
a drop of privileges more natural (one wonders, what about things 
like uploads?),
Perhaps such a mechanism could be used behind the scenes for a system
like Polaris?  Still, as is it appears to me to be a little along the lines of
something like chroot in Unix.  It takes one subset of resources (file system
in the case of chroot) and provides a difficult to use and limited facility for
restricting access when running a program.  Even if such a facility could be
integrated into a reasonable POLA computing environment, the base program
(using what system calls?) is a pretty negligible step in that direction.

I suppose the fact that something like that is being written up is positive.