[cap-talk] Dan Bernstein's qmail security lessons paper
Sam Mason
sam at samason.me.uk
Sun Dec 16 18:54:13 EST 2007
On Mon, Dec 17, 2007 at 05:29:12AM +1000, James A. Donald wrote:
> Obviously minesweeper should not be privileged to read
> your mail, record your interactions with bank sites,
> mail your passwords to Nigeria, and reformat your hard
> drive. Nor should any random word document that
> supposedly comes from your friend in email.
>
> But your company web server does need to be pretty much
> privileged to run your business, and if a guy from
> Nigeria gets control of it, the principle of least
> privilege does not help much.
I fail to see why POLA helps any less when applied server side than on
the desktop. If you run a single, monolithic, web server which handles
everything, then, if I understand things correctly, you've not applied
POLA properly. This single "web server" should be broken down into
smaller components, as you described in the desktop case, and these
components assembled to perform the same functions as the monolithic web
server.
Once the components have been separated, appropriate effort can
be expended on the trusted parts---safe in the knowledge that the
untrusted components can't do anything "bad". This is better than in
the monolithic case, there effort must be universally applied as any
exploitable bugs, anywhere, in the server could cause everything to
fail.
Sam
More information about the cap-talk
mailing list