root
Ted Lemon
mellon at fugue.com
Fri Jan 11 23:25:12 CET 2008
On Jan 11, 2008, at 9:16 AM, Schmidt András wrote:
> I assume that sudo prevents the harware to be bricked accidentally
> by the user or by a userspace program. What I wanted to mean is that
> protecting the user's data is more important than protecting the
> device itself.
Sudo takes away security - it doesn't add security. If you fail to
protect the device, then by extension you have also failed to protect
the user's data. So you need to do both.
Bitfrost works by separating privileges at a finer granularity than
per-user. Instead, it's per-app. So typically an app that can make
arbitrary network connections doesn't have access to user data, and
vice versa. All apps run in sandboxes, and communicate via d-bus.
The notion is that security compromises generally come through
applications that are suborned. So if you know in advance what the
application should normally be able to do, and only let it do that,
then when it's suborned by an attacker, the attacker doesn't gain
anything, because they've only gained access to the sandbox, not the
whole machine.
The security model is very well-thought out, and would work well on a
phone - it's intended to protect a non-computer-literate child from
malicious attack, and so the level of security-awareness of the user
is similar to what you'd expect from the average mobile phone user.
More information about the community
mailing list