cap-talk: Re: CGI scripts under EROS

Re: CGI scripts under EROS Ben Laurie (ben@algroup.co.uk)
Wed, 22 Apr 1998 00:02:44 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
[ Next ]In reply to: Jonathan S. Shapiro Next in thread: Jonathan S. Shapiro

Jonathan S. Shapiro wrote:
>
> [Please note that I have moved this discussion to cap-talk, since it
> is not really EROS specific. The original problem was to prevent a
> program from leaking sensitive bank information. The second response
> is quoted at the bottom. ]
>
> > I'm beginning to suspect I should shut up until I'm better acquainted
> > with how EROS does things.
>
> Actually, this is precisely why you *should* ask these questions. How
> else can the answers end up in the FAQ?

Just remember that you asked for it :-)

> > I'm having problems understanding who "you" is and how "you" "hands"
> > things about the place, what a "trusted system intermediary agent" is
> > and how it "checks with you". And so on...
>
> "You" is actually a program operating on your behalf. It holds a
> capability on your behalf, and can either transmit it or not transmit
> it.
>
> The sorts of leaks you are concerned about can occur only when an
> untrusted program holds (simulaneously or in sequence) a capability
> conveying access to sensitive data and also a capability conveying
> authority to communicate with an unauthorized party.

This is where it gets interesting, I think. How does the authority tie in with the party we communicate with?

> The source of the confusion may lie in a POSIX assumption. In a POSIX
> system, any program can make a "socket" call and get their hands on a
> network connection. The right to create a socket is therefore part of
> a program's "intrinsic" authority.
>
> In a capability-protected system, sockets can only be created if the
> program holds a capability for the networking subsystem. [ Such a
> program would not be considered confined, by the way. ] Further, two
> programs can communicate only if one holds a capability for the other.
> By being careful what capabilities are handed to a program, the
> sequence leading to exposure can be eliminated.

OK, what I still am not getting is how I can decide what capabilities a program has according to who is at the other end of the network connection. This seems vital to me.

> The "trusted agent" I had in mind is an "open file" utility. Instead
> of giving the application access to the file system, give it access to
> a utility that will ask the user where things should be stored, and
> can alert the user that the application may be working with sensitive
> data.

Who is the user in this case? How can I alert someone who may be in bed (remembering we are talking about webservers here)?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

[ Next ] In reply to: Jonathan S. Shapiro Next in thread: Jonathan S. Shapiro