[cap-talk] least authority gets some press

Stiegler, Marc D marc.d.stiegler at hp.com
Wed Jan 17 16:27:46 CST 2007 

 

> My fundamental disagreement is with the idea that at 
> installation time the user should be notified of what 
> privileges are needed.  I think that's not usable for 
> non-power users.  I'm more persuaded by the alternative the 
> two of you outlined.  For instance, one model that I can 
> imagine might be workable would be for the distributions who 
> aggregate applications to have teams whose job is to review 
> the app's declarations of what privileges they need, and push 
> back if the app's requested privilege level is exorbitant.  
> However, I do have to insist on one point: this is not just a 
> technical problem.  There needs to be some incentive for 
> application writers to spend the time and effort needed to 
> build their app in a least-privilege friendly way, and to 
> figure out exactly what privileges their app needs and to 
> include that in the declaration.
> If the incentives aren't adequate, then this effort will 
> fail.  This approach requires the cooperation of application 
> writers, so application writers will have to want to cooperate.

We probably disagree, and have no data to demonstrate either way, on how
easy this is for application writers. I think I would characterise my
position as follows: the cost of persuading a C++ programmer to move to
any new language is greater than the incremental cost of persuading him
to use a new language that supports/enforces/encourages POLA principles.
Alas, this cost is, as we have seen from 15 years of experience trying
to get C++ programmers to adopt anything new, is enormous.

> 
> My other point is that you should be careful not to leave the 
> impression that "all you have to do is X and it's easy".  
> This would be a significant undertaking -- especially for 
> legacy code.  It won't be cheap.  As pretty much everyone who 
> has tried to do this has discovered (including Microsoft, 
> SELinux, etc.), retrofitting least privilege onto an existing 
> code base requires pretty significant resources.  That's why 
> I think that the incentives and the establishment of a 
> positive feedback loop are probably the biggest challenges 
> here, not the technical issues.

We certainly agree. It won't be cheap to move the legacy. The hardest
part is getting the elephant to move in any direction except the
direction currently marked as "straight ahead".

--marcs

More information about the cap-talk mailing list