[cap-talk] least authority gets some press

Neal H. Walfield neal at walfield.org
Tue Jan 16 16:18:49 CST 2007 

At Tue, 16 Jan 2007 13:28:15 -0800 (PST),
David Wagner wrote:
> 
> Jed writes:
> >The application writer knows 
> >what privileges (permissions) are necessary for the application - 
> >except of course those that need to be requested from the user.  To 
> >deal effectively with this situation I believe applications need to 
> >come packaged with a profile that indicates what initial privileges 
> >they need to run with.  At installation time the user should be 
> >notified of these needed privileges for approval.  At that 
> >installation time the documentation can of course justify the needed 
> >privileges.  Once installed the application initialization process 
> >should grant the application the needed initial privileges when it's started.
> 
> Sounds nice in theory, but the usability of this is potentially
> problematic.
> 
> First, many application writers are not very knowledgeable about security,
> and they might not be able to answer questions about what privileges their
> application needs.  Second, right now there's not a lot of incentive for
> application writers to ask for just what they need; it'd be too easy
> for a lazy application writer to just say "give me all privileges".
> (There's a reason that so many Windows apps seem to want to run with
> administrator privileges.)  Sure, we could imagine a market where users
> punish developers for asking for unnecessary privileges, but that's not
> the world we live in today, so before you invoke such an imaginary world,
> you'll have to explain how you plan to get there from here.
> 
> Third, and probably most seriously, I suspect that very few users are
> knowledgeable enough to make good decisions about what privileges an
> application should be granted.  If the app requests privilege X, is
> that a reasonable request that should be granted?  Most users won't be
> able to answer that question, and nor are they likely to want to think
> about it.  The user wants to get their work done, not mess around with
> these distractions.
> 
> For these reasons, I think we'd better be realistic about what we demand
> of programmers and users, and be wary of unfounded optimism.

I was also taken a bit aback at Jed's suggestion.  But for an
additional reason: why are you trusting the application developer?  In
that case, you are also asking the malware author.  Not good.

I think it would be reasonable that profiles for specific applications
be downloaded from a "dependable" source.  For instance, your
operating system distributor.  This is already being done by Red Hat
for SE Linux security policies.

Neal

More information about the cap-talk mailing list