Re: A Few Ideas



On Mon, 21 Sep 1998, Stefan Skoglund wrote:

> What do this entails :
> Only applications with the proper authentications should be able to
> do super-user operations and only the user with super-user privileges
> should be able to run thoose programs at their full performance.

What you are describing can be handled well by the capability security
model.

> Normal users should be able to run exactly the same programs to.
> Visualize a tool for managing networ interfaces. The superuser should
> be able to change ipfw settings, killing network interfaces, changing IP
> addresses
> and so on. Normal users  could use the same program to check out performance
> ie speed, collisions and so.

Sounds good.  I like the idea of sharing interfaces and letting the normal
users have their piece of the pie, without letting them start a food fight.
 
> Nasty macro-viruses should be unable to start that program at all.
> And they should especially not be able to access anything which sensitive.
> 
> And all theese different programs should be able to coexist at the same X11
> display. Something like this probably requires authentication features very
> different from UNIX.

Yes, unfortunately, this is not really a GUI issue, but a security one.  You
can't enforce security through GUI alone - that's like locking your front
door and leaving your back door open.  Instead, you need an integrated
security model, like <soapbox> the capability security model.  The idea
behind it is that instead of keeping an access control list for each object,
you simply pass out "keys" (essentially pointers) to other objects to which
you wish to grant access.  When a user logs in, they are given a session key
which can open a box containing keys to all their applications and
documents.  That box is their desktop configuration.  Some keys can activate
only certain features of objects, which is what you described in the
scenario of a normal user using sysadmin tools.  Administratively, it is
much cleaner and far less error-prone to keep the keys with the users rather
than the guest list with the club owner.  Security is tighter, yet more
flexible.

Some operating systems, such as KeyKOS (http://www.cis.upenn.edu/~KeyKOS/)
and EROS (http://www.cis.upenn.edu:80/~eros/), integrate capabilites into
the kernel.  Another feature of these systems is that the entire state of
the system is "kept" in memory.  Files are not loaded from disk - instead,
objects are always requested from other objects, and passed by sending a
key.  The key isn't just the right to access an object, but a pointer to the
object itself.  Of course, the state of the system is actually cached and
mirrored on disk.  As a result of this design, it takes less than a minute
to boot the system, and it always returns to the point where it last saved
its state (which is performed every five minutes).  This feature is called
orthognal persistence.

Integrating these features into UNIX could be difficult.  I admit ignorance
about such projects.  Nevertheless, the behavior you are asking for
(allowing normal users limited access to sysadmin apps) could be
accomplished by suid-ing the apps and making sure they check the user ID and
allow only certain functions to certain users.  This is precisely the kind
of security problem that the capability model can simplify.

More information about capabilities can be found at these URLs:
http://207.142.17.8/http://www.caplet.com:80/security/editorial/index.html
http://www.mediacity.com/~norm/CapTheory/
http://www.communities.com/company/papers/security/index.html
http://www.cis.upenn.edu/~eros/essays/capintro.html

</soapbox>

/-------- Quantum Seep, qseep@iname.com ---
  "His funny bone's connected to the M-bone"
   PGP fingerprint: 5B 3B 7B EC AA 5B 4B 7F  65 7D 2A CD 69 11 29 2A



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]