Seamless Lessons & Security (commentary)

[Ivan Krstić]

On Jul 7, 2008, at 10:29 AM, Martin Dengler wrote:
> No response?

Your message _appears_ to suppose that the security model was defined  
for the hell of it, or because someone wanted to engage in an  
interesting academic experiment, and thus breaking the security model  
when it's convenient is somehow okay. That's not a discussion I'm  
particularly interested in, but Michael will probably be more helpful.

> ...seems false. I just tried an IE 7.0 install I have, and it does  
> in fact
> support "launch-by-click" for executables yields:
> http://dev.laptop.org/~mdengler/launch-by-click-ie.jpg


That's precisely the seam that Michael and I wrote about in his  
previous message to the thread. The opposition he and I have is  
towards allowing single-click actions to cross security barriers  
without the system _ensuring_ that the user is informed of the crossing.

In other words, to support Browse launching Pippy when a .py file is  
clicked, Rainbow would have to confer upon Browse the privilege of  
launching other activities (which may, and in the case of execution  
environments such as Pippy and eToys, regularly will) have higher  
privileges than Browse itself, have such launched activities operate  
on arbitrary input provided by Browse, and not require user approval  
anywhere in the process.

This is stupid.

The way to do it is to throw up a (system-, not Browse- rendered!)  
warning dialog indicating that a security boundary is about to be  
crossed, and allowing the user to stop the action -- unless this  
particular boundary traversal was specifically approved ahead of time.

--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org