[OLPC Security] qmail security
Marcus Leech
mleech at nortel.com
Thu Dec 20 15:57:10 EST 2007
C. Scott Ananian wrote:
>
> I thought the concrete description of the UNIX api for strictly
> limiting permissions for subprocesses a useful checklist (are we
> applying all of these limits?) and, in general, I thought it similar
> enough to our implementation strategy to be worth a mention on
> whatever wiki pages document our implementation (are there any?).
>
Some of the resource-limiting stuff Michael and I have been playing with
in experimental
versions of sugar, although independently arrived-at.
Using resource limits to do "damage control" only works if you can
reliably predict what
the "normal" resource constraints are of a controlled process. In
Dans jpegtopnm example,
it's very easy to characterize the processes "expected" resource
profile. It only needs
stdin and stdout available, and should *never* fork a new process.
But it gets more
complicated really quickly with other types of applications (Browse,
eToys, etc).
> It seems like making as much as possible of the datastore and sugar
> 'untrusted code', for example, would be very wise. It would also be
> worthwhile to audit our code for uses of 'system' and 'subprocess' and
> replace as many as possible of the forked processes with some
> 'safe_fork' function which limited permissions in the same way
> pnmtojpeg was encapsulated.
> --scott
>
>
Limiting trusted code is definitely a useful exercise. But the rather
simple pnmtojpeg model
in djbs paper is difficult to map in a fully general way to all of our
applications.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://lists.laptop.org/pipermail/security/attachments/20071220/81af8eb9/attachment.pgp
More information about the Security
mailing list