[Cryptography] North Korea and Sony
mitch at niftyegg.com
Sat Dec 13 23:30:53 EST 2014
On Sat, Dec 13, 2014 at 5:19 AM, Jerry Leichter <leichter at lrw.com> wrote:
> On Dec 12, 2014, at 6:31 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
> >> BTW, it's this repurposing of the user ID mechanism that makes it
> complicated to support multiple users on devices running these OS's.
> > I think Polaris dynamically added UserIDs as needed. I don't see how
> that would interfere with having two or more users on a machine, as long as
> the "real" users had different names from the shadow IDs, and that could be
> done with a naming convention.
> You end up with a user id for every user/program pair, as you certainly
> don't want to move inter-user controls into each program. With only a
> single user, the classic suid mechanism grants the right access to a
> program while it's running; with multiple users, you'll need something more
> Certainly not impossible, just much more complicated.
We should include group IDs as well as the SELinux labels.
The nice thing about GIDs is that they can be shared and
a user and process can have multiple groups.
SELinux: Contexts and labels, is under appreciated especially
when combined with data files and SGID and SUID flags on
I suspect the necessary tools are present but the difficult policy
decisions that plague all security systems are wanting.
See also "Smack" http://en.wikipedia.org/wiki/Smack_%28software%29
Smack is the main access control mechanism for the MeeGo mobile Operating
System. It is also used to sandbox HTML5 web applications in the
Tizen architecture, in the commercial Wind River Linux solutions for
embedded device development, and in Philips Digital TV products.
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography