Re: [Usability] Content Separation in GNOME

From: Ivan Gyurdiev <ivg2 cornell edu>
To: Matthew Thomas <mpt myrealbox com>
Cc: usability gnome org, sds tycho nsa gov
Subject: Re: [Usability] Content Separation in GNOME
Date: Tue, 05 Apr 2005 11:10:38 -0400

> >>The Settings folder could work like this: Programs would be allowed to
> >>read from anywhere in ~/Settings (to access settings shared between
> >>programs, or to import settings from competing programs), 
> >  
> > I don't like this. This should be done per-program in the program's
> > policy if it's really necessary.
> 
> How would such a policy be established? Do you mean that the first time
> you run Firefox, for example, you should get a confirmation alert
> "Firefox is trying to read your Epiphany settings", and another alert
> "Firefox is trying to read your Gnome-wide bookmarks", and another alert
> "Firefox is trying to read your Gnome-wide cookies", and another alert
> "Firefox is trying to read your Gnome Keyring", and so on? What are you
> trying to protect against here, anyway?

The policy will be established by the security administrator.
The user will not be asked anything - the policy will be enforced by
SElinux, where the app will be given the minimum set of permissions that
it requires. Giving the app more permissions that it needs is a bad
thing to do.

We're trying to protect against broken apps. In particular, when
an application is exploited, it should be confined within a small
domain, and should not be able to do anything outside that domain
causing harm - minimum privilege. 

-- 
Ivan Gyurdiev <ivg2 cornell edu>
Cornell University

References:
- [Usability] Content Separation in GNOME
  - From: Ivan Gyurdiev
- Re: [Usability] Content Separation in GNOME
  - From: Matthew Thomas
- Re: [Usability] Content Separation in GNOME
  - From: Ivan Gyurdiev
- Re: [Usability] Content Separation in GNOME
  - From: Matthew Thomas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]