Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.folklore.computers > #148487

Re: The joy of simplicity?

From "Rod Speed" <rod.speed.aaa@gmail.com>
Newsgroups alt.folklore.computers
Subject Re: The joy of simplicity?
Date 2015-07-19 09:01 +1000
Message-ID <d10470F95frU1@mid.individual.net> (permalink)
References <PM00051AE92462C0E0@aca40f69.ipt.aol.com> <1443018172458656142.548953peter_flass-yahoo.com@news.eternal-september.org> <PM00051AFE21B80058@aca42e0b.ipt.aol.com> <d0qg66Fqs5uU1@mid.individual.net> <ttnn7c-djp.ln1@sambook.reistad.name>

Show all headers | View raw

Morten Reistad <first@last.navn> wrote
> Rod Speed <rod.speed.aaa@gmail.com> wrote
>> jmfbahciv <See.above@aol.com> wrote
>>> Peter Flass wrote
>>>> jmfbahciv <See.above@aol.com> wrote
>>>>> Andrew Swallow wrote
>>>>>> jmfbahciv wrote
>>>>>>> Rod Speed wrote
>>>>>>>> jmfbahciv <See.above@aol.com> wrote
>>>>>>>>> Andrew Swallow wrote

>>>>>>>>>> This will help but unfortunately the database you
>>>>>>>>>> are keeping secret ends up inside the sandbox.

>>>>>>>>> Implement a file daemon like we did on TOPS-10.

>>>>>>>> Doesn't do a damned thing about the problem he is talking about.

>>>>>>> Of course it can.  The file daemone can do anything one wants
>>>>>>> it to. In order to circumvent the security, a cracker has to patch
>>>>>>> the monitor to redirect the IPCF messages _and_ its contents.

>>>>>> Can the virus tell the daemone to get the next database record?
>>>>>> If so repeat until the entire database has been extracted.

>>>>> Only if the file daemon is designed to allow such access without 
>>>>> security.

>>>>> Using a file daemon to access otherwise protected files from a user,
>>>>> including an app, allows access without the user/app having to have
>>>>> the system privileges one would need if a daemon wasn't available.

>>>>> The sample JMF wrote, was designed to extend access to files.
>>>>> There isn't anything preventing a daemon from accessing the
>>>>> contents of files. The neat thing was that you could protect a
>>>>> file from [1,2] accessing it.  [1,2] was the equivalent user to
>>>>> Unix' sudo (I think that's what it's called.)

>>>> A daemon has nothing to do with this. The file system has to run
>>>> at a higher privilege level (which most do) and have no bugs or
>>>> security holes (which doesn't seem to be true).  The problem seems
>>>> to be that unauthorized code takes advantage of holes in the system
>>>> get an elevated privilege level and access things it shouldn't.

>>> If you have a file daemon, you can protect all files
>>> and directories from any access at all times.

>> There you go, utterly mangling the terminology just like you always do.

> No, she has just given some references to
> som DEC systems that have fallen into disuse.

She isn't doing that in this case with her claim that 'you can
protect all files and directories from any access at all times'

> Both tops10 and tops20 have decent file protection
> primitives (contrasted to *n*x native and windows).

Yes, but it’s a lie to claim that 'you can protect all
files and directories from any access at all times'

> They are almost as good as the multics ones from the later versions.

> In addition you could connect a user mode process to a partition, and
> have the failed requests come in for a secondary view, and you could
> permit them anyhow. If you wanted every open request to go through
> that daemon you just set permissions 000 (unix-speak) on the mount point.

> These user mode daemons handle open()s, and set the subsequent read(),
> write(), append() and select()/poll() permissions on the file handle as 
> long
> as it is kept open.

But that is nothing like her claim that 'you can protect
all files and directories from any access at all times'

> This is one solution to the jail-process-problem, but I think the
> jail() version of chroot() is a much better one. For one, you have a
> system-provided check that you stay within your jail on every (of ~150)
> system call the process performs. This limits the scope of the external
> impact from every program executed within that process.

>>> when an access fails, the file daemon can be
>>> called to decide if access should be allowed.

>> But it needs to have some basis for making that decision.

>>> With that you can have MBs of code examining the situation and making
>>> decisions.  What's more you could also create sectors of file daemons
>>> called by the master file daemon.  A lot of protections on the PDP-10s
>>> were built into the way we handled [P,PN]s.  ppn protections were
>>> stricter and easier than access ids which were names.

>> That last isn't the problem being discussed.

>> And iOS essentially does what you are talking about and
>> so utterly misnamed by sandboxing so nothing gets access
>> to the data that belongs to an app except the app itself and
>> with stuff like the contacts where more than one app needs
>> to have access to some of the data at times, the user gets
>> to authorise access by other than the app that owns the data.

>> Its never going to be possible for 'a file daemon' to decide
>> just what need to have access to stuff like the contacts.

> Don't dismiss it outright.

I was only dismissing the claim that 'you can protect all
files and directories from any access at all times' outright.

> I have seen user-mode file systems do
> similar things on modern systems.

Sure, but still nothing like 'you can protect all
files and directories from any access at all times'

Back to alt.folklore.computers | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-08 00:27 -0300
  Re: The joy of simplicity? Anne & Lynn Wheeler <lynn@garlic.com> - 2015-07-08 09:32 -0700
    Re: The joy of simplicity? "ratsack" <ratgsack281@nospam.com> - 2015-07-10 05:28 +1000
  Re: The joy of simplicity? hancock4@bbs.cpcn.com - 2015-07-08 09:54 -0700
    Re: The joy of simplicity? scott@slp53.sl.home (Scott Lurndal) - 2015-07-08 17:43 +0000
    Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-08 15:48 -0300
      Re: The joy of simplicity? hda <agent700@ay.invalid> - 2015-07-08 22:03 +0200
        Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-09 03:14 -0300
          Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-09 07:38 +0000
          Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-09 17:40 +0000
          Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-09 16:32 -0300
          Re: The joy of simplicity? "ratsack" <ratgsack281@nospam.com> - 2015-07-10 05:35 +1000
          Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-09 16:51 -0300
          Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-10 00:50 +0100
            Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-10 00:27 +0000
              Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-10 16:36 +0000
                Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-10 19:01 +0100
                Re: The joy of simplicity? Stephen Sprunk <stephen@sprunk.org> - 2015-07-10 13:13 -0500
                Re: The joy of simplicity? Stephen Sprunk <stephen@sprunk.org> - 2015-07-10 13:20 -0500
                Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-10 18:59 +0000
                Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-10 21:08 +0100
                Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-11 00:42 +0200
                Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-11 20:47 +0100
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-12 12:53 +0000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-13 05:40 +1000
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-14 12:02 +0000
                Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-14 13:32 +0100
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-15 12:19 +0000
                Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-15 12:31 +0000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-17 05:49 +1000
                Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-17 18:43 +0200
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-19 09:01 +1000
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-19 13:25 +0000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-20 06:20 +1000
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-20 13:29 +0000
                Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-20 15:26 +0000
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-21 12:53 +0000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-21 05:52 +1000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-19 09:49 +1000
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-19 13:25 +0000
                Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-19 18:15 +0200
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-20 13:29 +0000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-21 05:49 +1000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-20 06:38 +1000
                Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-20 13:29 +0000
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-21 05:55 +1000
                Re: The joy of simplicity? "Hank" <hfd543@nospam.com> - 2015-07-12 06:00 +1000
                Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-11 00:38 +0200
                Re: The joy of simplicity? "Charles Richmond" <numerist@aquaporin4.com> - 2015-07-10 15:27 -0500
                Re: The joy of simplicity? Dave Garland <dave.garland@wizinfo.com> - 2015-07-11 00:18 -0500
                Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-11 19:22 +1000
                Re: The joy of simplicity? Gene Wirchenko <genew@telus.net> - 2015-07-10 17:53 -0700
                Re: The joy of simplicity? "Osmium" <r124c4u102@comcast.net> - 2015-07-10 22:22 -0500
                Re: The joy of simplicity? Gene Wirchenko <genew@telus.net> - 2015-07-10 23:39 -0700
          Re: The joy of simplicity? simon@twoplaces.co.uk (Simon Turner) - 2015-07-10 08:27 +0100
    Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-09 00:29 +0000
      Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-09 07:38 +0000
  Re: The joy of simplicity? Daiyu Hurst <daiyu.hurst@gmail.com> - 2015-07-08 12:57 -0700

csiph-web