'Re: Server overriding; chroot'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       hurd-bug
Subject:    Re: Server overriding; chroot
From:       Pierre THIERRY <nowhere.man () levallois ! eu ! org>
Date:       2008-03-27 23:49:15
Message-ID: 20080327234915.GI14637 () (none)
[Download RAW message or body]


Scribit olafBuddenhagen@gmx.net dies 27/03/2008 hora 02:28:
> > The problem here is that authority is given instead of demonstrated.
> > No translator should receive a port from a priviledged server like
> > the parent FS server.
> Sorry, that's too abstract for me...

This is a classical example of confused deputy. The client says to the
deputy (here the deputy is the parent FS) "Hey, I want to access foo and
frob it!", but cannot in any way access foo itself. Then the deputy
accesses foo, which it can, and frobs it.

If the client had to give the deputy a handle and should say "Hey, I
want you to frob that thing!" and the deputy would use the handle
instead of opening some resource with its own rights, then the client
couldn't do more with the deputy than alone. The client would need
proper rights to open the resource itself and create the handle.

> note that at one point Shapiro actually wanted to drop persistence
> from Coyotos...

And realized it would actually make things harder. Persistence is a key
solution to the secure boot problem: how do you make sure that at each
reboot, your system ends up in a secure state? That's awfully complex.
With a persistent system, you only have to

  - Start in some initial secure state,
  - ensure that each transition of the system from a secure state gives
    another secure state.

> In
> http://lists.gnu.org/archive/html/gnu-system-discuss/2007-09/msg00129.html
> , Marcus proposes a new method for implementing passive translators,
> with the goal of addressing the chroot problem.

That's a very interesting solution! And it may even not be that hard to
implement...

> While personally I believe that the approach he describes doesn't
> really fundamentally change what passive translators are and what they
> can do

Well, now translators can only be started with as much authority as
their creator's. That's a huge difference, I'd say. It should be
analysed further, but at first read, it seems worth a try.

Quickly,
Pierre
--=20
nowhere.man@levallois.eu.org
OpenPGP 0xD9D50D8A

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic