Re: Design principles and ethics (was Re: Execute without read (was [...]))

[Tom Bachmann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan S. Shapiro wrote:
> It is also not confinement if the parent can read the child without the
> consent of the child. Therefore it is not confinement at all.
> 

I have two problems with this statement. a) Every process has been
instantiated by /someone/, so every process has a parent. b) i agree
with you that this is not confinement, but the parent *may* confine the
child by dropping all references to it.

a) Whith the kind of confinement you propose, the parent is a
constructor (iiuc). The confinement works because the constructor is
trusted. So if the user can trust *one* programm running, she can use
this program to instantiate confined subsystems for her.

b) The question is, if the parent *can* drop all references. If the
parent's parent is trusted, of course everything works. If not *and* the
parent's parent is able to control the parent, this will not work.

So as we do not want a trust hierarchy that is rooted in the admin,
somehwere in the hierarchy there has to be a program that its parent
cannot control and the user trusts (lets call it the user's shell).
This cannot be achieved without *some* trust. In the case of ``static''
accounts, this is the trust in the system installer. In the case of
``dynamic'' accounts this is the trust in the creator of the account, so
most probably the system admin. I can't see where constructors change this.
- --
- -ness-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEVHhFvD/ijq9JWhsRAqZUAJ9I/d9bL1j0jVy8A472S3xXOsMLMACcCmhG
0lBEATIWChNnxFs+rBHHTgY=
=gm6Y
-----END PGP SIGNATURE-----