[cap-talk] Why You Don't Have To (And Shouldn't Try To)
Separate The Policy
David Wagner
daw at cs.berkeley.edu
Fri Jan 20 10:28:41 EST 2006
"Rob J Meijer" <rmeijer at xs4all.nl> writes:
>A problem here is I think the inability of applications to aquire
>information about the active policies. This makes for the fact that
>many software breaks completely when actions needed for less important
>parts of their functionality are denied during operation.
Naah, that's not a problem. As an app writer, if you get -EPERM,
you know your request was denied. The issue you mention is not a
barrier to app programmers making their apps more least-privilege-friendly.
A perhaps more real problem is software that is written to use
permissions it does not need. Example: When the X11 Motif "file
open" widget first pops up on the screen, it walks up the filesystem
directory tree to the root, stat()ing each directory it sees so that
it can display the full path of the current working directory. But
even this example isn't too terribly problematic. Another example:
On Windows, MSIE is so integrated into everything that it's hard to
see how one can put together any useful security policy for it.
More information about the cap-talk
mailing list