A different kind of bad week [LWN.net]

A different kind of bad week

Posted Sep 25, 2003 11:01 UTC (Thu) by Wout (subscriber, #8750)
Parent article: A different kind of bad week

Fixing problems in code is not the solution. At some point someone will write a virus that exploits an unfixed bug. Also, as we know, users are lax in applying fixes to their systems.

In Linux the user - system seperation protects most of the system from actions done under a user's id. It also protects users from each other. For desktop systems this is not enough though. On a desktop system, there is usually one user. The most valuable files on such a system are probably owned by that user. This means that a virus that damages those files has achieved just about the worst that could happen - from the user's point of view.

What we need is some kind of seperation between user programs that receive untrusted (possibly malicious) input (eg. mail clients) and the user's files. I don't know how that could be implemented without annoying users though. Another way of protecting user files from destruction by malicious code is using a filesystem that supports snapshots (it remembers the state of files at the time of the snapshot and records changes in such a way that older version(s) of the files are still available). A daemon could then make (daily/hourly) snapshots of the /home partition. That way a virus could destroy the files it sees, but would not be able to touch the files as they were at the last snapshot. Looks like I've just reinvented backups. ;-)

(Log in to post comments)

A different kind of bad week

Posted Sep 25, 2003 21:30 UTC (Thu) by lakeland (subscriber, #1157) [Link]

Separating users from themselves sounds like a great idea, but I wouldn't know how to
implement it without upsetting users.

Snapshot filesystems are fairly easy to simulate using hard links. Google should find you
examples if you're interested.

A different kind of bad week

Posted Sep 26, 2003 11:02 UTC (Fri) by cross (subscriber, #13601) [Link]

> On a desktop system, there is usually one user.

Depends. Many households have one PC which is used by more than one user. It's sensible for each of them to have their own accounts, settings, preferences etc.

> The most valuable files on such a system are probably owned by that
> user. This means that a virus that damages those files has achieved
> just about the worst that could happen - from the user's point of view.
>
> What we need is some kind of seperation between user programs that
> receive untrusted (possibly malicious) input (eg. mail clients) and the
> user's files. I don't know how that could be implemented without annoying
> users though.

It's fairly simple. Create a new account solely for the email program. Put yourself and that account in the same group (creating it for the purpose). For the sake of argument, "mymail". Make sure that the "mymail" account is group readable and writeable, make sure that your account isn't. Now even a malicious executable that your email client actually executed wouldn't be able to cause any damage under your home directory let alone systemwide. It does mean that if you want to send a document or other attachment you first need to copy it to the mymail's home directory. But that's why we made it group writeable.

A different kind of bad week

Posted Sep 26, 2003 12:51 UTC (Fri) by Wout (subscriber, #8750) [Link]

>> On a desktop system, there is usually one user.
>
>Depends. Many households have one PC which is used by more than one user.
> It's sensible for each of them to have their own accounts, settings, preferences etc.

Yes, but my point is that user files are the most important thing on a desktop system. Yet important as they are, they are also the most vulnerable to viruses and such.

>> What we need is some kind of seperation between user programs that
>> receive untrusted (possibly malicious) input (eg. mail clients) and the
>> user's files. I don't know how that could be implemented without
>> annoying users though.
>
>It's fairly simple. Create a new account solely for the email program. Put yourself and that account in the same
>group (creating it for the purpose). For the sake of argument, "mymail". Make sure that the "mymail" account
>is group readable and writeable, make sure that your account isn't. Now even a malicious executable that your
>email client actually executed wouldn't be able to cause any damage under your home directory let alone
>systemwide. It does mean that if you want to send a document or other attachment you first need to copy it to
>the mymail's home directory. But that's why we made it group writeable.

This is the kind of solution that techies can use, but that are impractical for most other people because they don't understand file ownership, accounts and groups. What you need is protection that is invisible until the user requires it, which is exactly what a snapshot based system can provide. It even provides protection against the quite common case of people accidentily deleting or overwriting their files.

A different kind of bad week

Posted Sep 26, 2003 14:46 UTC (Fri) by cross (subscriber, #13601) [Link]

> Yes, but my point is that user files are the most important thing on a
> desktop system. Yet important as they are, they are also the most
> vulnerable to viruses and such.

We agree completely on this point.

> This is the kind of solution that techies can use, but that are
> impractical for most other people because they don't understand
> file ownership, accounts and groups.

If you can't explain it simply, you don't understand it well enough (Albert Einstein). The analogy I use is rooms in a house. Even very young kids understand "this is Jamie's room, you don't go in there unless he says it's OK". It's trivial then to grasp "this is Jamie's directory, you can't go in there".

> What you need is protection that is invisible until the user requires it

Which basically means that the installer should take care of it. When you choose "create new user" in your GUI tool and check the "setup mail" box it should create the "jamie" account, the "jamiemail" account and the "jamiemail" group, make a link in Jamie's home directory to "/home/jamiemail" so that Jamie can see it and knows that's where he puts things he wants to email to someone else, or save things some else sent him. You do need to explain that he doesn't leave things there if he wants to be sure they'll still be there tomorrow, but using the previous analogy, that's the difference between putting things away in his room and leaving them out in the back garden. Chances are nobody will come into the garden that night and take them, but they might. It's a concept easily grasped.

Is this non-obvious? Do you think it's non-obvious enough that I could get a patent on it? ;-)

> which is exactly what a snapshot based system can provide. It even
> provides protection against the quite common case of people accidentily
> deleting or overwriting their files.

It's a very good idea, and something that should also be done. But it's a solution to a different problem.

The Unix security model could help also desktop users.

Posted Sep 27, 2003 10:18 UTC (Sat) by bockman (subscriber, #3650) [Link]

A secure-minded desktop distro (or a secure-minded desktop user, if any exists) could be configured to run any browser and e-mail program (or other program's accessing the 'Net) with a dedicated account, which can only read files, but with write-access only to a specific home directory subfolder. Files owned by this account should be readable/writable by the normal user account. This would annoy only sligtly the user, since he can still upload/download stuff without too much hassle. The problem is that there should be different such accounts for each created user, e.g. to keep dowloaded stuff by one user not readable by others, if so he chooses.