From owner-freebsd-security@FreeBSD.ORG Thu Jul 24 09:06:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14F56106566B for ; Thu, 24 Jul 2008 09:06:20 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id BADF38FC1A for ; Thu, 24 Jul 2008 09:06:19 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 8ACFB46B0C; Thu, 24 Jul 2008 05:06:19 -0400 (EDT) Date: Thu, 24 Jul 2008 10:06:19 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Kostik Belousov In-Reply-To: <20080724085910.GG97161@deviant.kiev.zoral.com.ua> Message-ID: <20080724100439.D63347@fledge.watson.org> References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> <05661513-E0DA-4B33-BD4E-FCF73943F332@orthanc.ca> <20080724090549.G63347@fledge.watson.org> <20080724085910.GG97161@deviant.kiev.zoral.com.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Liste FreeBSD-security , Lyndon Nerenberg Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 09:06:20 -0000 On Thu, 24 Jul 2008, Kostik Belousov wrote: >> Lots of people care a lot about plan9. The problem is that it's a lot like >> UNIX. UNIX presupposes lots of special-purpose applications doing rather >> specific and well-defined things, and that is a decreasingly accurate >> reflection of the way people write applications. All these security >> extensions get extremely messy the moment you have general-purpose >> applications that you want to be able to do some things some times, and >> other things other times, and where the nature of the protections you want >> depends on, and changes with, the whim of the user. The complex structure >> of modern UNIX applications doesn't help (lots of dependent libraries, >> files, interpreters, etc), because it almost instantly pushes the package >> dependency problem into the access control problem. I don't think it's >> hopeless, but I think that any answer that looks simple is probably wrong >> by definition. :-) > > I think that the per-process namespaces are useful, and can be added to the > existing Unix model with quite favourable consequences. On the other hand, I > do not think that security is the most important application of the > namespaces, or even have a direct relation to it. > > Implementing namespaces for FreeBSD looks as an doable and quite interesting > project for me :). Sounds good to me :-). As with all such project (variant symlinks, process-local name spaces, etc), do be very careful about security -- often as not, such projects risk tripping over problems with privilege-escalated processes, such as setuid binaries, etc, which place strong trust in the file system name space. Robert N M Watson Computer Laboratory University of Cambridge