2009/12/15 Ben Kloosterman <span dir="ltr"><<a href="mailto:bklooste@gmail.com">bklooste@gmail.com</a>></span><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Note the escalations are a bit different from Windows UAC and sudo due to<br>
the fact that the granularity is application (per user) instead of user and<br>
there is no su account. Because by default an application has no authority<br>
everything needs to be added.<br>
<br>
The idea with the escalations is that there is little Ambient authority from<br>
the user and on a totally secure system you can with a policy setting<br>
disable it. However I would argue that without such an escalation most<br>
initial install settings would need to be looser eg instead of saying only<br>
word has r/w access to .doc files in the home directory and only excel .xls<br>
you get the situation that all applications have full access to the users<br>
home directory. With escalation you can use very tight settings and then<br>
escalate them as needed, after a short time all the settings would be in<br>
place.<br></blockquote><div><br></div><div>This sounds more like what would be referred to by some on this list as "granting authority via a powerbox". The user has some authority that needs to be granted to an application. The application asks for it via some trusted UI and the user decides whether to grant it or not.</div>
<div><br></div><div>The classic example is the "File Open" dialog box where the chooser choosing a file to be opened grants the application the authority (i.e. a capability) to read the file. </div><div><br></div>
<div>You might like to look at Ka-Ping Yee's paper on security by designation vs. admonition, see <a href="http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2004.64">http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2004.64</a></div>
<div><br></div><div>as well as the work on CapDesk and Polaris, both of which looked at using a powerbox system to grant authority to applications at install time.</div><div><br></div><div>Finally, you might also consider looking at Plash's CopyOnWrite facility. You grant an installed appliation CopyOnWrite access to large parts of the file system that it might think it needs to modify. Any modifications cause a copy of the original to be made to which the write occurs, leaving the original file unaffected.</div>
<div><br></div><div>Cheers</div><div><br></div><div>Toby</div></div>