[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: POSIX
From: |
Ronald Aigner |
Subject: |
Re: POSIX |
Date: |
Wed, 26 Oct 2005 17:49:54 +0200 |
User-agent: |
Debian Thunderbird 1.0.2 (X11/20051002) |
Jonathan S. Shapiro wrote on 10/26/2005 05:28 PM this:
> On Wed, 2005-10-26 at 16:13 +0200, Alfred M. Szmidt wrote:
>
>> Web browsers
>> Email readers
>> Word processors
>> Document browsers (e.g. acrobat, xpdf, ghostview)
>>
>>All those run in a jail of sorts: the current user. What would be
>>nifty is a way to allow a user to make sub-users, where he can
>>encapsulate a program and only give write/read access to a specific
>>directory. Which is possible to do with any extensive rewrites I
>>think.
>
>
> Typo: I believe you meant to write "... *without* any extensive
> rewrites"
>
> I have often thought about doing something like this, because it would
> be very attractive to be able to rescue the design model of current
> systems. Here is what I believe it would take:
>
> 1. A model of "user" that is hierarchical, in the sense that I can
> add and destroy new pseudo-users that are subordinate to me.
>
> 2. A real ACL implementation in the file systems
>
> 3. A very efficient way to visit all of the files that *I* have access
> to and grant access to a new, subordinate user.
>
> I have always failed to achieve the third part. If the actual number of
> necessary configurations can be kept very small, I can see that a
> statically preconfigured "safe subset" is possible. What I do not see is
> how to efficiently build a similar thing dynamically, in a way that is
> specific to the particular application that I am trying to run at the
> moment. By the time my protection agent is done visiting all of the
> necessary files, I have taken far longer than I can afford.
Maybe I am missing something, but a concept which comes to my mind that
could solve the third part, is a concept published in [1].
[1] http://os.inf.tu-dresden.de/papers_ps/icdcs97.ps.gz Haertig,
Reuther: "Encapsulating Mobile Objects" (ICDCS, 1997)
Greetings, Ron.
--
Mit freundlichen Gruessen / with regards
ra3 @ inf.tu-dresden.de
http://os.inf.tu-dresden.de/~ra3/
- Re: POSIX, (continued)
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Bas Wijnen, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX,
Ronald Aigner <=
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Alfred M\. Szmidt, 2005/10/27
- Re: POSIX, Jonathan S. Shapiro, 2005/10/27
- Re: POSIX, Alfred M\. Szmidt, 2005/10/27
- Re: POSIX, Jonathan S. Shapiro, 2005/10/27
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Bas Wijnen, 2005/10/26
- Re: POSIX, Jonathan S. Shapiro, 2005/10/26
- Re: POSIX, Leonardo Lopes Pereira, 2005/10/26
- Re: POSIX, Bas Wijnen, 2005/10/26