[Cryptography] General security infrastructure suggestion: where to take it?

Ray Dillinger bear at sonic.net
Sat Dec 27 16:41:22 EST 2014 

This is not specifically cryptographic, although an implementation
of it in a secure file system might be.  Any suggestions about
what would be a better venue for bringing this up would be
appreciated.

The Unix permissions convention of root:group:user is IMO no
longer really adequate for the security issues we're facing at
this point, and should probably be replaced with a convention
of root:usergroup:user:exegroup:executable.

The evolution I propose changes the structure of file permissions
to keep track of a program/program group having privileges over
that file, and gives the users access to tools for administering
the privileges of programs/program groups running under their
own login.

Regulating privs by root:group:user was the right answer when
the only thing we really needed to protect was the system
integrity, and the question was simply "whom can we trust?"

But that's no longer the case.  Users (not just root) now value
system integrity mainly (or only) because system integrity is
necessary to protect assets far more valuable to them than the
system itself.

But, while necessary, it is not sufficient. The primary threat
to those assets comes not from other users, but from software
running under their own account, with their own privileges, that
does things using their privileges which they did not anticipate
and would not approve of that software doing.

The trust issue between individual users' assets and the
privileges given the executables that they run is now as severe
in terms of preventing losses to individual users, as the trust
issue between system integrity and the privileges accorded
individual users.

Accordingly, I think a future evolution of Unix probably ought
to have users able to control delegation of their privileges to
executables running under their login, in exactly the same way
that root controls the delegation of privileges to user accounts.

So, a user who has just downloaded "SOOPERGAME.SWF" may have
no problem with it having privileges to read and write in its
own directory in his home folder, but has no real reason to
trust its authors and absolutely would not give it the
'executable group membership' or however this works, that it
would need to read/write in his customer database, mailbox,
or bitcoin wallet.

Which would mean that securing operations should check the
privileges of both user (to be sure the user has the authority
from root) and the executable (to be sure that the executable
has the authority from the user) before allowing an operation.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141227/72e42673/attachment.sig>

More information about the cryptography mailing list