[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Process hierarchies
|
From: |
Jonathan S. Shapiro |
|
Subject: |
Re: Process hierarchies |
|
Date: |
Tue, 11 Oct 2005 19:51:39 -0400 |
On Tue, 2005-10-11 at 22:23 +0200, Marcus Brinkmann wrote:
> So, very losely, in the Hurd, the filesystem acts in the role of an
> EROS constructor. Clearly, the EROS solution is more generic, and
> abstracted. In the Hurd, this is just handled as a special case in
> the filesystem for the suid case.
>From your description, this sounds right. Here is another small
difference. It is not important for understanding the constructor
concept, but it is important for security:
If all of this function is gathered in the file system, the
file system does not satisfy the concept of "least privilege."
The idea of "least privilege" is not an absolute idea, but it is an
excellent design rule in practice. I would add a second:
As the amount of authority managed by a process rises,
the complexity of the actions performed by that process
really wants to be simplified.
That is: if you *do* need to manage some complex permissions issue, keep
the managing code simple so that you don't screw it up.
Finally: this is a place where persistence changes your point of view.
In Hurd, where persistence is (currently) not available, the only place
that you really *could* put this function is in the file system. In
EROS, where a process can continue running across system shutdown, it
becomes easier to bundle the authority into more fine-grain divisions
(the constructors).
shap