Sun Jan 21 07:55:44 EST 2018
Privilege separation, untrusted code
I still have not solved:
- editing root-owned scripts
- running root code in Erlang
The key is to eliminate trusted code as much as possible. However he
also argues that privilege separation doesn't solve any real problems.
What is the subtlety there?
In 2.5, look for:
"Minimizing privilege is not the same as minimizing the amount of
trusted code, does not have the same benefits as minimizing the
amount of trusted code, and does not move us any closer to a
secure computer system."
"The defining feature of untrusted code is that it cannot violate
the user’s security requirements. Turning a “DNS helper” into
untrusted code is necessarily more invasive than merely imposing
constraints upon the operating-system re- sources accessed by the
program. The “DNS helper” handles data from many sources, and
each source must be prevented from modifying other sources’ data."