On Tue, 16 Jan 2001, George Greer wrote: > MUD++ used a trimmed version of 'pico' for its work. We'd probably have > something similar and put big warning signs around using 'vi' or 'emacs' > for editng. The security is a side issue until we actually get to the > point of detailed design because we don't know how (if) we'd implement it > and what countermeasures would be available with said method. Restricted execution, restricted execution, restricted execution. Any system that is going to rely on a bunch of small programs kindly interacting has to have a way for a trusted application to spawn an untrusted child safely. That is, build a sandbox for the child to play in and not be able to do any harm. I think ptrace() might provide one way to do this. I want to be rather guarded with my estimation of the level of security it could give us. At the same time, I think it's feasible that, through sufficient limits on capabilities, you could give someone a full-blown shell and have a reasonable assurance that they're not doing anything that will hurt *too* much. Of course, I wouldn't do it. -dak -- +---------------------------------------------------------------+ | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html | | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html | +---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/03/01 PST