Ted Lemon mellon at
Fri Jan 11 23:25:12 CET 2008

On Jan 11, 2008, at 9:16 AM, Schmidt András wrote:
> I assume that sudo prevents the harware to be bricked accidentally  
> by the user or by a userspace program. What I wanted to mean is that  
> protecting the user's data is more important than protecting the  
> device itself.

Sudo takes away security - it doesn't add security.   If you fail to  
protect the device, then by extension you have also failed to protect  
the user's data.   So you need to do both.

Bitfrost works by separating privileges at a finer granularity than  
per-user.   Instead, it's per-app.   So typically an app that can make  
arbitrary network connections doesn't have access to user data, and  
vice versa.  All apps run in sandboxes, and communicate via d-bus.

The notion is that security compromises generally come through  
applications that are suborned.   So if you know in advance what the  
application should normally be able to do, and only let it do that,  
then when it's suborned by an attacker, the attacker doesn't gain  
anything, because they've only gained access to the sandbox, not the  
whole machine.

The security model is very well-thought out, and would work well on a  
phone - it's intended to protect a non-computer-literate child from  
malicious attack, and so the level of security-awareness of the user  
is similar to what you'd expect from the average mobile phone user.

More information about the community mailing list