Re: Changing from L4 to something else...

[Bas Wijnen]

On Sun, Oct 30, 2005 at 10:00:31PM +0000, Neal H. Walfield wrote:
> > Session details should be editable remotely when you autharize yourself (for
> > example with an ssh key).  Because of this, su from anything except root is
> > easily implemented (because authorization is performed).  But su from root
> > (without a password) is only possible if the user allowed it, and it isn't 
> > if
> > the user didn't allow it.
> 
> I don't think so.  Why doesn't the system administrator control the
> session manager?  Why can't the system administrator decide which
> session manager to install (e.g. the one with the method which given a
> username and a particular capability returns the session capability of
> the specificed user)?

Of course the administrator can choose a session manager which doesn't allow
this.  But if the session manager wants this kind of power, he probably
doesn't want a capability system in the first place, because it limits his
powers in more ways.

What we have to do is convince administrators that not having this power is a
good idea.  That may not be an easy task.  But I'd wait with it until we have
a working system. :-)

What I claim is not that the administrator (the person) doesn't have this
power.  Of course he does, since he can install the OS (and in case of GNU,
adapt it to his liking).  I'm claiming that it is a good idea if the
administrator will choose not to give the root user this power, and that when
he chooses this, the system will be more secure.

> I'd be interesting in understanding how one could build a system in
> which system administrators can't install their own session managers.
> Moreover how do users verify that the system administrator doesn't
> have this capability?  (I think this is basically the secure booting
> problem.)

It's more than that, it's a social problem.  It's the same problem you have
when playing a network game: all players have to trust the server that it's
not cheating in favor of one of the players (usually the one hosting the
server).

If you socially don't trust someone, then you shouldn't put any private data
on his computer.  No software can change that, because the owner can simply
install spying software and claim to have installed a secure version.

The situation I was assuming is that the user trusts the administrator to do
what he says, and that the administrator agrees that not having the power to
spy on users without their consent is a good idea.  Both of these assumptions
may not be true in many situations.  The second one is something we should
change (by explaining why it is a good idea), the first one is something we
have nothing to do with.

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature