[cap-talk] More Heresey: ACLs not inherently bad

[Toby Murray]

On Fri, 2008-09-12 at 09:58 +1000, James A. Donald wrote:
> And the installation endowment should be one of a small
> set of named installation endowments, each of O(100)
> rights - one for things like editors, one for things
> like music players, and so on and so forth.
> 
> Most of these named installation endowments were created
> by the people who prepared the operating system before
> it was installed, and very rarely does an end user add a
> new named group of endowments to this set

The way to start is to just install the software and all of its stated
dependencies into the same namespace. (This is exactly what Plash does.)
Then it automatically has access to pretty much everything it needs,
sans obvious things like:

"Sound Players" need write access to /dev/dsp
"Sound Recorders" need read access to /dev/dsp
"Email" applications need to be able to connect to the user's chosen
IMAP/POP servers etc. or connect to the trusted Email daemon that
manages this authority, as discussed recently.
etc.

These obvious endowments could be specified as some sort of standard,
e.g. FreeDesktop.org and incorporated into the various desktop
environments.

Most applications already group themselves into broad categories similar
to the above by specifying in their .desktop file a list of
"Categories". e.g. the "Categories" for Evolution are (on Fedora Core 9)

Categories=GNOME;GTK;Office;Email;Calendar;ContactManagement;X-Red-Hat-Base;

For some of these, there are some obvious endowments to derive. In
particula the "Calendar", "Email", "ContactManagement" and possibly
"Office" categories all point to useful classes of permissions that
could automatically be given at install time.

Heuristics could be used to detect .desktop files that specify dangerous
sets of Categories, e.g. having both

WebBrowser and ContactManagement could be dodgy, but would be detectable
at install time.