[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.
toby.murray at comlab.ox.ac.uk
Tue Dec 15 01:50:12 PST 2009
2009/12/15 Ben Kloosterman <bklooste at gmail.com>
> For the OS I'm working on I proposed that we can reduce user ambient
> authority significantly and I want to double check my suggestions. Firstly
> please note there is no command line/console.
> Here is the escalation process and note application settings are per user.
Below you're talking about application installation. I'm not sure why
this needs to include any kind of "privilege escalation"?
I would advise against adopting any installation model that has any
resemblance to the Windows User Account Control architecture, nor any
semblance to the Unix 'sudo' design.
Instead, I'd argue that you should look at Plash and its solution for
installing "regular" Debian packages (with a little bit of metadata)
and granting them capabilities and the least authority they need to
function. see http://plash.beasts.org/wiki/PackageSystem
(Note that file names in Plash sandboxes may be treated as human
readable handles to capabilities.)
In particular, Plash takes a Debian package, downloads all of its
dependencies and then installs the package and all dependencies
together in the same sandbox. What this translates to is that an
application is given the capabilities to all of its dependencies and
dependencies are automatically inferred using standard mechanisms.
That leaves a few static privileges that might need to be granted to
certain applications, e.g. "access to sound card" or "access to
network" (depending how fine-grained you want your permissions). These
can also be inferred from metadata included with applications. For
instance, FreeDesktop.org ".desktop" files contain enough metadata to
usually allow one to infer these static privileges (see e.g.g the
More information about the cap-talk