X/smtp servers (was Re: TrustedBSD Extensions Project)

richard offer offer at sgi.com
Wed Apr 12 22:59:17 GMT 2000

* $ from jont at us.ibm.com at "12-Apr: 4:15pm" | sed "1,$s/^/* /"
* Sorry my previous post was less than clear, I lost sight of the forest
* for the trees.
* I think I want to make two points, IMO:
*   1) B1 access control (MLS/lattice + user DAC) is inadequate,
*   it needs to be extended to support role-based access control (RBAC),
*   and probably an integrity model such as type enforcement.

If what you want is RBAC ? doesn't that imply you want B2 and not B1 ?

*   2) Large user-mode servers don't really follow (they can't) the
*   principle of least privilege.  Therefore it is a mistake to "improve"
*   such large servers rather than to re-architect them to solve the
*   privilege problems.
* One question which then arises is which large services can be
* re-architected ? and which need to tweaked ?
* As I noted sendmail has already been re-architected (several times :-),
* as I believe has usenet news software.
* Clearly my suggestion for GGI(+X) over straight X is contentious.

Its only contentious with me, I don't believe its the right thing to do, others
may argue...

* Perhaps it should be taken out of the main list ...
* Or perhaps its a non-issue at this point in time due to lack of resources.

Eventually we will need a B1 workstation, but a server is definetly easier---if
you think I'm going to include GNOME/KDE in my TCB with the required security
analysis, you've got three hopes :-)

Is it worth starting a list of applications which we really need trusted
versions/an analysis of [1] ?

For example, currently I have no MTA or web server in my TCB---mainly because I
want to start off doing the easy stuff, but eventually I'm going to need one,
just to avoid something along the lines of the "NT is only trustable when its
standalone" fiasco. There really is no point on each camp (Linux/BSD) going
their own separate way on such large tasks.

What I'm sort of proposing is a combined OpenB1/C2 group that coordinates with
both camps to make most use of shared (application) codebases.

* - JonT


[1] As my work is going to be evaluated at C2/B1, analysis documentation is
just as important as actual code.

Richard Offer           Widget FAQ --> http://reality.sgi.com/widgetFAQ
MTS-Core Design (Motif)

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list