Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.folklore.computers > #148550
| From | "Rod Speed" <rod.speed.aaa@gmail.com> |
|---|---|
| Newsgroups | alt.folklore.computers |
| Subject | Re: The joy of simplicity? |
| Date | 2015-07-20 06:38 +1000 |
| Message-ID | <d12g5gFrbubU1@mid.individual.net> (permalink) |
| References | (16 earlier) <d0qg66Fqs5uU1@mid.individual.net> <ttnn7c-djp.ln1@sambook.reistad.name> <PM00051B266DEF881D@aca2d680.ipt.aol.com> <20150718155115.7c7d49ee804db58bd8f88797@eircom.net> <PM00051B3A08B01556@aca2e736.ipt.aol.com> |
"jmfbahciv" <See.above@aol.com> wrote in message news:PM00051B3A08B01556@aca2e736.ipt.aol.com... > Ahem A Rivet's Shot wrote: >> On 18 Jul 2015 13:34:19 GMT >> jmfbahciv <See.above@aol.com> wrote: >> >>> Morten Reistad wrote: >> >>> > This is one solution to the jail-process-problem, but I think the >>> > jail() version of chroot() is a much better one. For one, you have a >>> > system-provided check that you stay within your jail on every (of >>> > ~150) >>> > system call the process performs. This limits the scope of the >>> > external >>> > impact from every program executed within that process. >>> >>> That's an interesting approach but it wouldn't it have to ignore >>> terminal I/O? >> >> Yes terminal I/O is by default not available in a jail unless you >> connect a virtual terminal to the virtual terminal port and the jail is >> running something connected to the virtual terminal port (often there's a >> full OS image running in the jail - sometimes not the same OS as the >> host). > Sounds expensive. Then you need a new hearing aid, it isn't. >>> And what about network accesses? ISTM there would have >> >> Jails have separate network configuration to the host, which is >> provided by the host. I have one jail running here that sees only a VPN >> connection and has no access to my LAN which limits the incursions >> possible >> from the other side of that VPN. >> >>> to be a list of system calls that would need ignoring. I suppose that >>> approach could provide a blanket security but not control over >>> contents of speicfic files/directories. >> >> Jails live in a chroot evnvironment so the directory tree they see >> is a subset of that on the host. > OK. That sounds like the system manager sets it up instead > of the user/owner of the service area within the system. Varys with the implementation. With iOS on apple iDevices the user decides what access apps have to their files and data. >>> The latter technique would >>> only be invoked if, and only if, the "owner" of the file/directory >>> wanted to invoke it. With your approach, it would be a system >>> invocation rather than something set up privately by a user within >>> that system. >> >> Yes jails are a system level thing usually used to isolate network >> services from each other and the rest of the system. >> >> File daemons if I'm understanding correctly provide a programmed >> way to give controlled access to otherwise forbidden operations on >> selected >> files and directories. > It's more elegant than that. The user can cause file protection faults > for > any file or directory s/he owns. The file daemon is invoked when an > access > is attempted. the user has a file in the directory which can iterate who > may access the file, who may not access the file and which kinds of access > specific ppns can do. this was the example implementation of our file > daemon. It can get more complicated with contents of files. > > To cause a blanket protection failure for everyone, including ppns with > privs, I simply protected my ppn.UFD and *.SFD files to cause a protection > failure. Not even the operators could access my area without invoking the > file daemon. Note that there wasn't a security hole if the file daemon > wasn't running because the protections which invoked the file daemon > were greater than normal. > >>In a unix environment this is usually done with a >> service but that doesn't present like a file system access instead you >> talk >> the service protocol to a server which manipulates the files you're not >> allowed to touch. >> >> A file system supporting file daemons would probably be easy to put >> together under the user space filesystem layer in Linux, a little harder >> without user space filesystem support. > > TOPS-10 was a timesharing system with projects. EAch project was able > to control its own areas without sysadmin human intervention. > > For instance a prof who had a class could get a project number > of 306. Each student would have a ppn of [306, nnn]. the prof could > set up his area and theirs for accessing. he could allow read only > access to some files in his area for only the [306,*] ppns. He can > also log accesses and set up the students' ppns so he could read > anything in those directories...or write anything.
Back to alt.folklore.computers | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-08 00:27 -0300
Re: The joy of simplicity? Anne & Lynn Wheeler <lynn@garlic.com> - 2015-07-08 09:32 -0700
Re: The joy of simplicity? "ratsack" <ratgsack281@nospam.com> - 2015-07-10 05:28 +1000
Re: The joy of simplicity? hancock4@bbs.cpcn.com - 2015-07-08 09:54 -0700
Re: The joy of simplicity? scott@slp53.sl.home (Scott Lurndal) - 2015-07-08 17:43 +0000
Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-08 15:48 -0300
Re: The joy of simplicity? hda <agent700@ay.invalid> - 2015-07-08 22:03 +0200
Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-09 03:14 -0300
Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-09 07:38 +0000
Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-09 17:40 +0000
Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-09 16:32 -0300
Re: The joy of simplicity? "ratsack" <ratgsack281@nospam.com> - 2015-07-10 05:35 +1000
Re: The joy of simplicity? Mike Spencer <mds@bogus.nodomain.nowhere> - 2015-07-09 16:51 -0300
Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-10 00:50 +0100
Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-10 00:27 +0000
Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-10 16:36 +0000
Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-10 19:01 +0100
Re: The joy of simplicity? Stephen Sprunk <stephen@sprunk.org> - 2015-07-10 13:13 -0500
Re: The joy of simplicity? Stephen Sprunk <stephen@sprunk.org> - 2015-07-10 13:20 -0500
Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-10 18:59 +0000
Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-10 21:08 +0100
Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-11 00:42 +0200
Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-11 20:47 +0100
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-12 12:53 +0000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-13 05:40 +1000
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-14 12:02 +0000
Re: The joy of simplicity? Andrew Swallow <am.swallow@btinternet.com> - 2015-07-14 13:32 +0100
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-15 12:19 +0000
Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-15 12:31 +0000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-17 05:49 +1000
Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-17 18:43 +0200
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-19 09:01 +1000
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-19 13:25 +0000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-20 06:20 +1000
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-20 13:29 +0000
Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-20 15:26 +0000
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-21 12:53 +0000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-21 05:52 +1000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-19 09:49 +1000
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-19 13:25 +0000
Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-19 18:15 +0200
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-20 13:29 +0000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-21 05:49 +1000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-20 06:38 +1000
Re: The joy of simplicity? jmfbahciv <See.above@aol.com> - 2015-07-20 13:29 +0000
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-21 05:55 +1000
Re: The joy of simplicity? "Hank" <hfd543@nospam.com> - 2015-07-12 06:00 +1000
Re: The joy of simplicity? Morten Reistad <first@last.navn> - 2015-07-11 00:38 +0200
Re: The joy of simplicity? "Charles Richmond" <numerist@aquaporin4.com> - 2015-07-10 15:27 -0500
Re: The joy of simplicity? Dave Garland <dave.garland@wizinfo.com> - 2015-07-11 00:18 -0500
Re: The joy of simplicity? "Rod Speed" <rod.speed.aaa@gmail.com> - 2015-07-11 19:22 +1000
Re: The joy of simplicity? Gene Wirchenko <genew@telus.net> - 2015-07-10 17:53 -0700
Re: The joy of simplicity? "Osmium" <r124c4u102@comcast.net> - 2015-07-10 22:22 -0500
Re: The joy of simplicity? Gene Wirchenko <genew@telus.net> - 2015-07-10 23:39 -0700
Re: The joy of simplicity? simon@twoplaces.co.uk (Simon Turner) - 2015-07-10 08:27 +0100
Re: The joy of simplicity? Peter Flass <peter_flass@yahoo.com> - 2015-07-09 00:29 +0000
Re: The joy of simplicity? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2015-07-09 07:38 +0000
Re: The joy of simplicity? Daiyu Hurst <daiyu.hurst@gmail.com> - 2015-07-08 12:57 -0700
csiph-web