Sun Jan 21 07:55:44 EST 2018

Privilege separation, untrusted code

I still have not solved:
- editing root-owned scripts
- running root code in Erlang

After reading:

The key is to eliminate trusted code as much as possible.  However he
also argues that privilege separation doesn't solve any real problems.
What is the subtlety there?

In 2.5, look for:

    "Minimizing privilege is not the same as minimizing the amount of
     trusted code, does not have the same benefits as minimizing the
     amount of trusted code, and does not move us any closer to a
     secure computer system."

    "The defining feature of untrusted code is that it cannot violate
     the user’s security requirements. Turning a “DNS helper” into
     untrusted code is necessarily more invasive than merely imposing
     constraints upon the operating-system re- sources accessed by the
     program. The “DNS helper” handles data from many sources, and
     each source must be prevented from modifying other sources’ data."