software - multiple version installs (any distro developers here?)

Sean Lynch seanl at literati.org
Tue Aug 23 19:49:12 PDT 2016


On Tue, Aug 23, 2016 at 5:33 PM John <jnn at synfin.org> wrote:

> On August 23, 2016 5:56:39 PM EDT, Sean Lynch <seanl at literati.org> wrote:
> ...
> >"Docker for everything" is not a totally off the wall idea. Not
> >specifically docker but namespaces & cgroups for making software that's
> >used to Unix-like discretionary access controls and make it act more
> >like
> >object-capability software. You'd need a UI or shell or something for
> >expressing what capabilities to pass along, for example something that
> >interprets annotated filenames, converts them to filenames in the
> >process's
> >own namespace, and handles mounting the files into the process's
> >namespace.
> >Of course, then you're probably just reinventing SELinux or something,
> >though I do think there's potential there to make the user interface a
> >little less obtuse than SELinux policies.
>
> I don't need /bin/ls and /bin/cp and /bin/[insert simple base util here]
> wrapped in a container and never found SELinux worth the hassle, but I
> suppose some people might want that level of headache... ;).
>
>
Sure, the base utilities are *probably* secure, but only because they're
mature at this point. But /bin/ls and /bin/cp have access to everything you
do, and they an allocate arbitrary amounts of RAM, open network sockets,
delete all your files, DoS the whole machine. Not too hard to avoid some of
that with ulimit et al, but where do you draw the line at what's a "base
utility"? tar? rar? mawk? And what happens the next time someone puts a
"bug fix" into ls that causes a security regression?

/bin/ls only needs access to your current directory or the directories you
type on the command line, and to the inodes of any of the files therein.
And then only read access. I suspect that wouldn't be too hard to add as
annotations to the arguments themselves, similar to how we have wildcards
that are interpreted by the shell now. Automatic named pipes are probably a
better analogy.

Now I feel like I need to go code up a prototype...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2507 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20160824/c4e97f3b/attachment-0001.txt>


More information about the cypherpunks mailing list