[cap-talk] least authority - why flames (was: least authority gets some press)
toby.murray at comlab.ox.ac.uk
Fri Jan 19 04:50:54 CST 2007
On Thu, 2007-01-18 at 19:53 -0600, Karp, Alan H wrote:
> Here's one argument I got about the installation endowment.
> "If I install a program on Windows so that it runs with administrator
> rights, I don't have to specify anything. The program automatically has
> access to anything it needs. Isn't that simpler than having to specify
> what rights it needs?"
> I gave my answer. What's yours?
Not necessarily. That assumes too much about the operating environment.
Although maybe I'm missing the point: perhaps the point is that we keep
the current operating environment the same.
One of Ping's papers somewhere talks about a method of granting
installation endowments to applications based on where they are placed
in the filesystem tree.
Suppose we have /bin for general applications. Anything placed here is
given very limited authority.
Each application is automatically granted access to a
directory /usr/lib/<appname> in which it can create files (we might also
give it a quota for the size of this directory).
Suppose we then have subclasses of /bin eg. /bin/networked/web, which
gets the same permissions as those in /bin but also gets permission to
open sockets to remote machines on port 80, 8080, the SSL port etc.
Now the default for installing an application is to place it in /bin,
which is the most secure option and also the most simple. Most apps way
well run just fine like that. Networked apps should be placed elsewhere
to run effectively.
More information about the cap-talk