[cap-talk] least authority gets some press
Jed Donnelley
capability at webstart.com
Tue Jan 16 14:52:52 CST 2007
At 10:50 AM 1/16/2007, David Nicol wrote:
>http://www.eweek.com/article2/0,1895,2083762,00.asp
>
>let's put some plash discussion in the comments
Hmmm. From the above:
"If there's one problem with the Privilege Manager approach it's that
it is not easy for an administrator to know what privileges are
necessary for the application to run properly, except through trial
and error, or perhaps by being very smart and knowing their way
around MSDN well."
What else is new? This is of course likely to further turn off users
to POLA as being unusable.
I see this approach as ass backwards. The application writer knows
what privileges (permissions) are necessary for the application -
except of course those that need to be requested from the user. To
deal effectively with this situation I believe applications need to
come packaged with a profile that indicates what initial privileges
they need to run with. At installation time the user should be
notified of these needed privileges for approval. At that
installation time the documentation can of course justify the needed
privileges. Once installed the application initialization process
should grant the application the needed initial privileges when it's started.
After that it's up to a "power box" to ask for any additional
privileges that are needed. I didn't see any discussion of such
dynamically granted privileges (permissions). Without that how can
anything work? Does that suggest that nominal ambient authority is
granting access to all applications for access to all files, network
access, etc., and the "privileges" being discussed in this article
are just power user (administrator) privileges like the ability to
format disks and such? Somehow that doesn't seem to me to be
effectively addressing the problem, namely that simple programs like
games or media conversion programs having access to all a user's privileges.
I'll post a slightly generalized version of the above to the eWeek
comments when I get home this evening and can deal effectively with
the requirement for registering to do such posting.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list