[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Supporting POSIX *users*
From: |
Jonathan S. Shapiro |
Subject: |
Re: Supporting POSIX *users* |
Date: |
Thu, 27 Oct 2005 11:17:42 -0400 |
On Thu, 2005-10-27 at 15:17 +0200, Alfred M. Szmidt wrote:
> > open() -- assumes a universally shared, mutable store.
> >
> > Nothing wrong with that.
>
> There is. It is possible to protect private data from becoming
> shared by malicious applications. This is a good thing. What you
> need for it is confinement: in that case, a hostile application
> which can read your private data cannot share it. A universally
> shared mutable store makes confinement impossible, and therefore
> giving private data to potentially hostile programs dangerous.
>
> I consider that a absurd level of paranoia totally unsuitable for a
> system that you use on a daily basis.
Okay. Please explain how to safely run a browser plugin when the plugin
can write to anything in the file system.
> Right, you want to secure your system by not making the wrong
> syscalls in your code? And why do you think a hostile application
> is going to live by that rule?
>
> And by not implementing the `evil syscalls', as I have said repetedly!
> You cannot use a syscall if it doesn't exist. That is what I mean by
> don't call it, don't use it, etc.
Cool. Please remove open(), socket(), [gs]etuid(), and fork() for
starters.
> But a system which only does parts of it is not a POSIX system.
>
> Yes it is, POSIX doesn't mandate that everything must be implemented.
Could you please post the address of your drug supplier? It must be
*great* stuff!
Seriously: I think you have not actually sat on a standards committee if
you can say this.
> I think Jonathan will not consider OpenBSD defensible. ;-)
>
> Jonathan won't consider anything defensible other than EROS.
Actually, no. KeyKOS was just as defensible. The VAX/VMM work was
nearly as defensible, and the later Multics work was VERY good from a
security standpoint (but probably not from a performance standpoint).
The Blacker kernel (GemSOS) was adequate, but insufficiently general
purpose. The ASOS kernel was *extremely* good, but was targeted at a
narrower and more specialized base of applications.
OpenBSD is probably the best attempt to retrofit security onto a
hopeless situation that I have ever seen. It is a *great* holding
action, but it is not a solution that will stand the test of time.
Several core people on the OpenBSD project, by the way, have agreed with
that statement.
> Running untrusted code is useful, and people will do it anyway, no
> matter what the consequences are. We can build an operating system
> which makes this acceptable, instead of highly dangerous.
>
> We already such a system.
Alfred: you are simply wrong. And you have been pointed at the formal
results that conclusively, mathematically *prove* that you are wrong,
you have ignored them, and you persist in making this wrong assertion. I
am very sorry, but 2+2 will not be 5 no matter how many times you insist
that it is so.
shap
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), (continued)
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Jonathan S. Shapiro, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Bas Wijnen, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Jonathan S. Shapiro, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/27
- Re: Supporting POSIX *users*, Bas Wijnen, 2005/10/27
- Re: Supporting POSIX *users*, Alfred M\. Szmidt, 2005/10/27
- Re: Supporting POSIX *users*,
Jonathan S. Shapiro <=
- Re: Supporting POSIX *users*, Alfred M\. Szmidt, 2005/10/27
- Re: Supporting POSIX *users*, Jonathan S. Shapiro, 2005/10/27
- Re: Supporting POSIX *users*, Michal Suchanek, 2005/10/28
- Re: Supporting POSIX *users*, Ludovic Courtès, 2005/10/27
- Re: Supporting POSIX *users*, Jonathan S. Shapiro, 2005/10/27
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Jonathan S. Shapiro, 2005/10/27
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/27
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Jonathan S. Shapiro, 2005/10/27
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/27
- Re: Let's do some coding :-), Alfred M\. Szmidt, 2005/10/25