moko running everything as root
lally.singh at gmail.com
Sun Jun 22 22:09:05 CEST 2008
On Wed, Jun 18, 2008 at 6:24 PM, Kevin Dean <kevin at foreverdean.info> wrote:
> On Wed, Jun 18, 2008 at 4:26 PM, Knight Walker <moko at kobran.org> wrote:
>> The root/user separation is the most fundamental part of a security
>> policy and here is why. Root is by its nature not only unrestricted but
>> unrestrictable (I think I just made up a new word). A non-root user can
>> only destroy the data that user "owns". Now while the conventional
>> desktop, user "johndoe" owns all his MP3s and pr0n and thus can delete
>> and otherwise destroy them; on the Moko platform, the extensive use of
>> DBus makes destruction of the "most important part" more difficult.
>> What I'm saying is that (Where possible) a daemon holds the important
>> data (PIM data, calendar data, etc) and is capable of restricting what
>> the user can do with it. The user account communicates with this daemon
>> (via DBus or whatever) and gets the data the user wants while protecting
>> the same. Both being normal users, they are not allowed to step on each
>> other, but if the user is root, then someone with malicious intents can
>> exploit that user account to step on the guardian account, either
>> causing a DoS (crash) or actually manipulating/destroying data.
> Actually, I think you've just sold me. I'm thinking about Openmoko a
> lot like I think of a desktop system (having looked at the way the
> data is on Om currently) that holds "everything is a file" and while
> it may be true, from an action perspective passing information through
> a non-root, non-user daemon exposes that information to the user in a
> way that's more than simply "dealing with a file". That's the goal of
> the ASU/zhone and it's a management case I wasn't even thinking of.
> Tradition bit me in the ass, thanks for spelling that one out for me,
> I like it a lot. :)
Hmm, are we talking about one unix login name per app? Not unlike
what you do for mysql, etc. Some good advantages:
1. Applications can't hurt each other, or the system
2. Backing up an app is simple:
tar czvf /tmp/app.tar.gz /home/app
Really useful when doing software dev. Just copy the folder to one
with another name, chmod -R 000 it.
3. An unusually transparent way to figure out whan an app is storing.
Maybe they could have their homes somewhere less anthropological?
Such as /usr/share/apps/foo? Where the permissions are set up the
same (read-only for everyone, except the owning user?)
The real user of the phone can use sudo to get to what they need.
H. Lally Singh
Ph.D. Candidate, Computer Science
More information about the community