[cap-talk] least authority gets some press

jms at seismic.seas.upenn.edu jms at seismic.seas.upenn.edu
Wed Jan 17 18:32:08 CST 2007 

David:
I wonder if this is something addressable with a configuration file u such as the login shell's .profile on Unix.
-JMS

Sent from my Verizon Wireless BlackBerry  

-----Original Message-----
From: David Wagner <daw at cs.berkeley.edu>
Date: Wed, 17 Jan 2007 11:39:04 
To:cap-talk at mail.eros-os.org
Subject: [cap-talk]  least authority gets some press

Jed and David, I mostly agree with you about least privilege and
installing applications.  I think you're right that there are benefits
to having application writers declare what privileges they need.  The
application developers will need to be educated about this; figuring
out what privileges the app will need isn't quite as trivial as you
have made it out to be (just read some of the literature on getting
Microsoft apps to run without Administrator privilege; there is a lot
of experience to suggest that it's a bigger chore than your notes
acknowledge; but it's doable).

My fundamental disagreement is with the idea that at installation time the
user should be notified of what privileges are needed.  I think that's not
usable for non-power users.  I'm more persuaded by the alternative the
two of you outlined.  For instance, one model that I can imagine might
be workable would be for the distributions who aggregate applications
to have teams whose job is to review the app's declarations of what
privileges they need, and push back if the app's requested privilege
level is exorbitant.  However, I do have to insist on one point: this
is not just a technical problem.  There needs to be some incentive for
application writers to spend the time and effort needed to build their
app in a least-privilege friendly way, and to figure out exactly what
privileges their app needs and to include that in the declaration.
If the incentives aren't adequate, then this effort will fail.  This
approach requires the cooperation of application writers, so application
writers will have to want to cooperate.

My other point is that you should be careful not to leave the impression
that "all you have to do is X and it's easy".  This would be a significant
undertaking -- especially for legacy code.  It won't be cheap.  As pretty
much everyone who has tried to do this has discovered (including
Microsoft, SELinux, etc.), retrofitting least privilege onto an existing
code base requires pretty significant resources.  That's why I think
that the incentives and the establishment of a positive feedback loop
are probably the biggest challenges here, not the technical issues.
_______________________________________________
cap-talk mailing list
cap-talk at mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list