[cap-talk] least authority gets some press
daw at cs.berkeley.edu
Tue Jan 16 15:28:15 CST 2007
>The application writer knows
>what privileges (permissions) are necessary for the application -
>except of course those that need to be requested from the user. To
>deal effectively with this situation I believe applications need to
>come packaged with a profile that indicates what initial privileges
>they need to run with. At installation time the user should be
>notified of these needed privileges for approval. At that
>installation time the documentation can of course justify the needed
>privileges. Once installed the application initialization process
>should grant the application the needed initial privileges when it's started.
Sounds nice in theory, but the usability of this is potentially
First, many application writers are not very knowledgeable about security,
and they might not be able to answer questions about what privileges their
application needs. Second, right now there's not a lot of incentive for
application writers to ask for just what they need; it'd be too easy
for a lazy application writer to just say "give me all privileges".
(There's a reason that so many Windows apps seem to want to run with
administrator privileges.) Sure, we could imagine a market where users
punish developers for asking for unnecessary privileges, but that's not
the world we live in today, so before you invoke such an imaginary world,
you'll have to explain how you plan to get there from here.
Third, and probably most seriously, I suspect that very few users are
knowledgeable enough to make good decisions about what privileges an
application should be granted. If the app requests privilege X, is
that a reasonable request that should be granted? Most users won't be
able to answer that question, and nor are they likely to want to think
about it. The user wants to get their work done, not mess around with
For these reasons, I think we'd better be realistic about what we demand
of programmers and users, and be wary of unfounded optimism.
More information about the cap-talk