[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On trusting its parent process

From: Marcus Brinkmann
Subject: Re: On trusting its parent process
Date: Tue, 12 Jul 2005 18:36:20 +0200
User-agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)


I wish I knew Plan 9 and EROS better, so I could answer your question.
I don't understand what Jonathan Shapiro is saying in the mail you
refer to, so it's very hard to comment.

>   1. The *only* way that a process in plan-9 can obtain a capability is
>   from its parent.


>   This differs very strongly from the status in EROS/Coyotos, where
>   *authentication* capabilities are not considered to be "holes" for
>   purposes of confinement. An implication of this is that the capability
>   which answers the question "Is this capability a capability to an
>   authentic X object" can be widely distributed, and can come to the user
>   in a way that the parent process cannot interfere with.

So what would such a way be?  The only way I see is by a kernel system
call which performs right amplification, and grants the process the
authority to authenticate capabilities.  Maybe this is how it is done
in EROS (I vaguely remember something like this, but the details
escape me).

> In the Hurd, processes get capabilities to the root filesystem, to
> `auth' and friends from their parent process.

Not quite right.  They get their capabilities from the parent.  There
are some capabilities they can get from Mach: task-self, thread-self.
But the others are inherited from the parent process.  The "root
directory port" is one such capability.

>  This is very convenient
> because it allows to run processes in a "sandbox".  OTOH, this makes it
> impossible for a process to make sure it is talking to "authentic"
> servers, as in the Plan 9 case above.

Right.  It is unclear to me though if this actually is a problem.  If
it is a problem or not seems to depend on other aspects of the system
design.  For example, in EROS, you have constructors, which seem to be
a bit like "suid" applications in Unix.  If you start a suid
application, who is the parent task?  In the Hurd, it is the
filesystem providing the suid application, _not_ the user initiating
the execution.  The suid application receives an initial execution
environment which is a mix of the filesystems and the initiators
execution environment.

So, beside the other doubts I have expressed above, I also have some
doubts about how the word "parent" is used here.
> Now, what does "authentic" mean in a system designed in such a way that
> most system services can be replaced by the user?  Should programs be
> allowed to rely on a specific implementation of a given service?

I think you can get more insight if you try to focus on the word
"parent" and try to figure out what the parent is in the Plan 9, EROS,
and Hurd case.

If you figure it out, let me know :)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]