[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On trusting its parent process
From: |
Lee Braiden |
Subject: |
Re: On trusting its parent process |
Date: |
Wed, 13 Jul 2005 10:59:55 +0100 |
User-agent: |
KMail/1.8 |
On Tuesday 12 Jul 2005 14:05, Ludovic Courtès wrote:
> In the Hurd, processes get capabilities to the root filesystem, to
> `auth' and friends from their parent process. This is very convenient
> because it allows to run processes in a "sandbox". OTOH, this makes it
> impossible for a process to make sure it is talking to "authentic"
> servers, as in the Plan 9 case above.
>
> Now, what does "authentic" mean in a system designed in such a way that
> most system services can be replaced by the user? Should programs be
> allowed to rely on a specific implementation of a given service?
I'm just a lurker, not very familiar with HURD. But on Amigas, the kernel
functions were overridden using as library call, setpatch() if I recall
correctly, which installed a new function address for that call. Presumably,
LD_PRELOAD works similarly.
If it's this library overriding that's the problem, is it not possible to just
say that some library calls are "final", and cannot be overridden? And
wouldn't such a library call be able to authenticate any services that must
be final, too?
--
Lee Braiden
http://www.DigitalUnleashed.com
pgpNzMP016pF_.pgp
Description: PGP signature
Re: On trusting its parent process,
Lee Braiden <=