[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"
James A. Donald
jamesd at echeque.com
Tue Sep 18 00:28:21 EDT 2007
James A. Donald:
> > The end result of your line of thinking is chmod,
> > and not only chmod, but chmod with even more
> > options.
ihab.awad at gmail.com wrote:
> I would still be interested to know how my thinking
> leads to chmod. :) I don't see the connection.
The evil of chmod is that the user winds up setting
arcane flags with unclear consequences.
> The user should always be able to reason through the
> worst-case ramifications of the abilities they have
> given to each actor and decide for themselves. That
> seems reasonable enough,
The user is unlikely to be able to reason through the
worst-case ramifications of the abilities they have
given to each actor, if we allow them to give any
substantial or durable abilities at all, so we should
not normally have the user knowingly giving any
abilities to any actor. No to chmod!
Firstly: As with Bifrost, durable privileges should be
assigned by the install script, without consulting the
user, since the user is unlikely to be able to know what
is necessary or unnecessary.
Secondly, transient privileges, as when an editor is
given authority to edit a particular file, will never be
limited to safe files. The user *will* use a macro
based editor full of macros from untrusted and
untrustworthy sources to edit key configuration files.
Thus the unix practice of using human readable text
files as configuration files will become a security hole
once otherwise secure systems based on powerboxes are
widely deployed. Therefore configuration files for any
package should only be modifiable by software that is
part of that package, and should not even be visible
otherwise.
More information about the cap-talk
mailing list