A new kind of security needed
Robert Watson
rwatson at FreeBSD.org
Thu Jul 24 09:06:20 UTC 2008
On Thu, 24 Jul 2008, Kostik Belousov wrote:
>> Lots of people care a lot about plan9. The problem is that it's a lot like
>> UNIX. UNIX presupposes lots of special-purpose applications doing rather
>> specific and well-defined things, and that is a decreasingly accurate
>> reflection of the way people write applications. All these security
>> extensions get extremely messy the moment you have general-purpose
>> applications that you want to be able to do some things some times, and
>> other things other times, and where the nature of the protections you want
>> depends on, and changes with, the whim of the user. The complex structure
>> of modern UNIX applications doesn't help (lots of dependent libraries,
>> files, interpreters, etc), because it almost instantly pushes the package
>> dependency problem into the access control problem. I don't think it's
>> hopeless, but I think that any answer that looks simple is probably wrong
>> by definition. :-)
>
> I think that the per-process namespaces are useful, and can be added to the
> existing Unix model with quite favourable consequences. On the other hand, I
> do not think that security is the most important application of the
> namespaces, or even have a direct relation to it.
>
> Implementing namespaces for FreeBSD looks as an doable and quite interesting
> project for me :).
Sounds good to me :-).
As with all such project (variant symlinks, process-local name spaces, etc),
do be very careful about security -- often as not, such projects risk tripping
over problems with privilege-escalated processes, such as setuid binaries,
etc, which place strong trust in the file system name space.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-security
mailing list