moko running everything as root

Lally Singh lally.singh at gmail.com
Sun Jun 22 22:09:05 CEST 2008


On Wed, Jun 18, 2008 at 6:24 PM, Kevin Dean <kevin at foreverdean.info> wrote:
> On Wed, Jun 18, 2008 at 4:26 PM, Knight Walker <moko at kobran.org> wrote:
>
>> The root/user separation is the most fundamental part of a security
>> policy and here is why.  Root is by its nature not only unrestricted but
>> unrestrictable (I think I just made up a new word). A non-root user can
>> only destroy the data that user "owns". Now while the conventional
>> desktop, user "johndoe" owns all his MP3s and pr0n and thus can delete
>> and otherwise destroy them; on the Moko platform, the extensive use of
>> DBus makes destruction of the "most important part" more difficult.
>>
>> What I'm saying is that (Where possible) a daemon holds the important
>> data (PIM data, calendar data, etc) and is capable of restricting what
>> the user can do with it.  The user account communicates with this daemon
>> (via DBus or whatever) and gets the data the user wants while protecting
>> the same. Both being normal users, they are not allowed to step on each
>> other, but if the user is root, then someone with malicious intents can
>> exploit that user account to step on the guardian account, either
>> causing a DoS (crash) or actually manipulating/destroying data.
>
> Actually, I think you've just sold me. I'm thinking about Openmoko a
> lot like I think of a desktop system (having looked at the way the
> data is on Om currently) that holds "everything is a file" and while
> it may be true, from an action perspective passing information through
> a non-root, non-user daemon exposes that information to the user in a
> way that's more than simply "dealing with a file". That's the goal of
> the ASU/zhone and it's a management case I wasn't even thinking of.
>
> Tradition bit me in the ass, thanks for spelling that one out for me,
> I like it a lot. :)
>

Hmm, are we talking about one unix login name per app?  Not unlike
what you do for mysql, etc.  Some good advantages:
1. Applications can't hurt each other, or the system
2. Backing up an app is simple:
tar czvf /tmp/app.tar.gz /home/app
Really useful when doing software dev.  Just copy the folder to one
with another name, chmod -R 000 it.
3. An unusually transparent way to figure out whan an app is storing.

Maybe they could have their homes somewhere less anthropological?
Such as /usr/share/apps/foo?  Where the permissions are set up the
same (read-only for everyone, except the owning user?)

The real user of the phone can use sudo to get to what they need.

-- 
H. Lally Singh
Ph.D. Candidate, Computer Science
Virginia Tech




More information about the community mailing list