Re: Vnode scope implementation

[David Young <dyoung%pobox.com@localhost>]

On Tue, Jul 21, 2009 at 12:25:37AM +0300, Elad Efrat wrote:
> David Young wrote:
>> On Thu, Jul 16, 2009 at 07:39:15PM +0300, Elad Efrat wrote:
>>> David Young wrote:
>>>
>>>> Isn't it hard to know that the design of kauth(9) and the placement of
>>>> the hooks is correct for anybody's purposes---Apple's, NetBSD's, yours,
>>>> mine---when you do not use the API for anything?
>>> How is the API not in use? what do you think implements "root" and
>>> "securelevel" for several years now? :)
>>
>> Sorry if it wasn't clear from the context, but I was asking about the
>> vnode scope.
>
> In that case your question makes very little sense, given the subject
> of this thread is the vnode scope back-end. In other words, no hooks are
> added, so you can't tell if their placement is correct or not.

The question stands, how do you know that the design of anything in
kauth(9) is correct until you use it for something?

>> But that is just maintaining the status quo.  Is that such a big
>> pay-off?
>
> I think your assertion is wrong, but I also think we have different
> definitions of what a big pay-off would be. Could you please state
> what a big pay-off would be, from your point of view?

It would be a big improvement if a user could run any process with the
least privileges that he thought the process needed to do its job, and
if he could read from the kernel a reliable list of the privileges that
any process was running with.

>> A paper and an abstract do not a compelling security demonstration make!
>
> Same question as above -- could you elaborate on what a compelling
> security demonstration would be, from your point of view?

To start with, it would be runnable code!

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933