A new kind of security needed
Kostik Belousov
kostikbel at gmail.com
Thu Jul 24 09:33:29 UTC 2008
On Thu, Jul 24, 2008 at 09:09:26AM +0100, Robert Watson wrote:
> On Fri, 18 Jul 2008, Lyndon Nerenberg wrote:
>
> >It's sad people don't pay more attention to Plan 9. Namespaces go a long
> >way towards solving this problem in a manner that's completely transparent
> >to the application, and trivial for the end-user to configure and use.
> >
> >See:
> >
> >http://plan9.bell-labs.com/sys/doc/names.html
> >http://plan9.bell-labs.com/magic/man2html/1/0intro
> >http://plan9.bell-labs.com/magic/man2html/4/namespace
> >
> >In a nutshell, your view of the 'filesystem' is fully mutable. A simple
> >'rfork n' in the shell will instantiate a brand new instance of the
> >namespace, which you can then fiddle to your heart's content. E.g.
> >
> >rfork n bind /usr/ftp /
> >
> >creates a namespace where /usr/ftp (by convention the anonymous FTP
> >directory) is now the "root" directory of the process' filesystem.
> >Analogous system calls exist for programmatic use. And since there is no
> >concept of (or need for) a 'superuser' these facilities are available to
> >everyone.
> >
> >This makes sandboxing trivial for any number of remotely accessible
> >network services as well as to the interactive system user. Both files and
> >directories can be bind targets, and the source of the bind can as easily
> >be a program as a file or directory; the ability to create secure
> >synthetic filesystems just naturally falls out of this paradigm.
> >
> >And the applications are blissfully unaware that any of this even exists.
>
> Lots of people care a lot about plan9. The problem is that it's a lot like
> UNIX. UNIX presupposes lots of special-purpose applications doing rather
> specific and well-defined things, and that is a decreasingly accurate
> reflection of the way people write applications. All these security
> extensions get extremely messy the moment you have general-purpose
> applications that you want to be able to do some things some times, and
> other things other times, and where the nature of the protections you want
> depends on, and changes with, the whim of the user. The complex structure
> of modern UNIX applications doesn't help (lots of dependent libraries,
> files, interpreters, etc), because it almost instantly pushes the package
> dependency problem into the access control problem. I don't think it's
> hopeless, but I think that any answer that looks simple is probably wrong
> by definition. :-)
I think that the per-process namespaces are useful, and can be added to
the existing Unix model with quite favourable consequences. On the other
hand, I do not think that security is the most important application
of the namespaces, or even have a direct relation to it.
Implementing namespaces for FreeBSD looks as an doable and quite
interesting project for me :).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20080724/e0ef874e/attachment.pgp
More information about the freebsd-security
mailing list