A new kind of security needed

[Robert Watson]

On Thu, 24 Jul 2008, Kostik Belousov wrote:

>> Lots of people care a lot about plan9.  The problem is that it's a lot like 
>> UNIX.  UNIX presupposes lots of special-purpose applications doing rather 
>> specific and well-defined things, and that is a decreasingly accurate 
>> reflection of the way people write applications.  All these security 
>> extensions get extremely messy the moment you have general-purpose 
>> applications that you want to be able to do some things some times, and 
>> other things other times, and where the nature of the protections you want 
>> depends on, and changes with, the whim of the user.  The complex structure 
>> of modern UNIX applications doesn't help (lots of dependent libraries, 
>> files, interpreters, etc), because it almost instantly pushes the package 
>> dependency problem into the access control problem.  I don't think it's 
>> hopeless, but I think that any answer that looks simple is probably wrong 
>> by definition.  :-)
>
> I think that the per-process namespaces are useful, and can be added to the 
> existing Unix model with quite favourable consequences. On the other hand, I 
> do not think that security is the most important application of the 
> namespaces, or even have a direct relation to it.
>
> Implementing namespaces for FreeBSD looks as an doable and quite interesting 
> project for me :).

Sounds good to me :-).

As with all such project (variant symlinks, process-local name spaces, etc), 
do be very careful about security -- often as not, such projects risk tripping 
over problems with privilege-escalated processes, such as setuid binaries, 
etc, which place strong trust in the file system name space.

Robert N M Watson
Computer Laboratory
University of Cambridge