[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On trusting its parent process

From: Ludovic Courtès
Subject: Re: On trusting its parent process
Date: Wed, 13 Jul 2005 18:17:31 +0200
User-agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)

Marcus Brinkmann <address@hidden> writes:

> Right, but which constructor does the server use to identify the
> buffer capability?  Where did it get the constructor from?  My answer
> would be: From its own parent process.  IE, from the process that
> created the constructor for the server process.  Right?
> In the Hurd, this is how it is done:  The server would get a
> capability to its own trusted mediators from its parent process, and
> then it would use those capabilities to verify capabilities it gets by
> the client.
> Now, the question is: How can the server trust the capabilities it got
> by its own parent?  Or in EROS speak: How can it trust that it is
> identifying the capability wrt to the right constructor?  What is the
> parent of the server?  The client instantiating the server through a
> constructor, or the process creating the constructor?

In fact, authenticity is relative to each process execution environment.
If a server receives, say, a TBO capability, it has to make sure (before
it uses it) that this capability comes from a TBO server it trusts.  And
each process usually knows of only one TBO (or auth, or proc, etc.)
server which is the one it was introduced to by its parent process.

Only in some cases do processes need to have "absolute authenticity"
proofs, that is, authenticity wrt. what the machine's administrator
intends to do.  For instance, `passwd' needs to make sure the data it is
accessing is the one _it_ created earlier.  (I guess persistence comes
in handy here because such sensitive programs do not need to expose
their state publicly and need not rely on an authentic file server.)

It looks like I'm just repeating the same things over, but it really
helps me understand the issue.  ;-)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]