[cap-talk] High level dissonance (was: Re: What sparked interest in capabilities)
Valerio Bellizzomi
devbox at selnet.org
Fri Feb 22 18:27:35 EST 2008
On 22/02/2008, at 20.37, Rob Meijer wrote:
>On Fri, February 22, 2008 19:53, Ivan Krstić wrote:
>> On Feb 22, 2008, at 1:45 PM, Rob Meijer wrote:
>>> Does this inversion of the privilege ownership and delegation make any
>>> sense to you? To me it does.
>>
>> Your e-mail client example falls flat when the user chooses to migrate
>> to a new mail client such as Mozilla Thunderbird, which helpfully
>> offers an 'Import data from other mail clients' screen on first start.
>>
>> We have a name for computer systems that deny complete software
>> control to their legal owner: DRM. It's not a good path to go down.
>
>I feel there is a subtle difference between the 'owner' and the 'user'
>role,
>even if they are in many cases the same physical person.
>
>> In the Bitfrost design, the user isn't prompted about almost any
>> security-related actions (lots of effort goes towards providing good
>> defaults), but the user still has the ability to arbitrarily change
>> the security settings from a control panel. This is potentially
>> phishable, but I'm familiar with no better way of doing things.
>
>The multi-boot approach that is used to administer hardened unix boxes
>seems quite usable for this kind of things.
>
>1) boot as a 'usable' system (where the 'user' can use the system and be
> subjected to all the same POLA principles that the programs are).
>2) boot as an unprotected system where the 'owner' can run all kind of
> local administrative tools that bypass normal security rules, but the
> system doesn't have a networking stack available.
>
>Rob
You can disable network and services by going in run-level 1 by typing
'init 1' in a root terminal.
val
More information about the cap-talk
mailing list