[E-Lang] E FAQ
Jonathan S. Shapiro
shap@eros-os.org
Tue, 16 Oct 2001 07:55:19 -0400
> However, the possibility is there in the [Java]
> architecture to do much better in this regard. If apps normally ran
> with all privileges disabled, and bracketed only those areas where they
> need privilege P with enablePrivilege(P); ...; disablePrivileged(P),
> this would be a big step towards least privilege, wouldn't it?
In a word: "no."
First, such controls are entirely discretionary. If the code can be
compromised, the compromised program has full access to the expanded
authority set. Least privilege is a mandatory control.
Second, your proposal has been tried in other contexts. It is called
setegid/seteuid. Empirically it (a) doesn't work, and (b) cannot be
maintained.
Jonathan