Posted Nov 2, 2007 4:49 UTC (Fri) by zooko
Parent article: Fixing CAP_SETPCAP
"... trying to come up with ... sensible security solutions ... casting about ..."
Perhaps we should start with some sensible security problems. What problems are we trying to solve?
One of my problems is that I don't want to give an application all of my privileges when I run it, but I still want to give it some of my privileges. For example, I would like to download a nice new game off the Internet, extend to it my privilege to read and write in ~/.gamesave/newgame, and the privilege to open net connections to specified hosts, and the privilege of doing graphics and I/O in a constrained screen (e.g. a different X server, a different virtual terminal), but not give it the privilege of reading or writing any of my other files, performing other networking, continuing to run after I have shut it down, nor any other privileges.
Is this the same kind of problem that these security modules I keep reading about are trying to solve?
plash -- the Principle of Least Authority Shell seems like a good step in the right direction.
Note that plash is inspired by the theory of capability access control (although not by the "POSIX capabilities" that were the topic of this article.)
to post comments)