Illuminatus Primus <vermontat_private> writes: > > I think it is far easier to implement secure enforcement of policy when > the privilege levels are more clearly separated than in setid. Sending > the data through sockets is one way to accomplish this. Check out userv: > http://www.chiark.greenend.org.uk/~ian/userv/ > > I'm sure implementing something similar that allows portable > authentication of uids wouldn't be that hard - I can think of several > schemes right now. Yes, that is most people's experience on first thinking about the problem, but it becomes harder the deeper you look into it. One very nasty problem is the following: Server A has ownership X and is acting on behalf of user Y. Client B is owned by Y, but is actually a server acting on behalf of user Z, and then calls A. Should A regards its user as X, Y or Z? This sort of thing can be resolved, but is pretty hard to do starting from an unsuitable system (like Unix or MVS.) You need to build the concept of proxy authorities from the very start, and allow for an arbitrary level of nesting. And then you need to start thinking about remote processes, and whether the authentication of the remote system needs to be taken into account. Or things like shared memory servers, where a single transaction may have multiple originators (e.g. the sender and the receiver.) Regards, Nick Maclaren, University of Cambridge Computing Service, New Museums Site, Pembroke Street, Cambridge CB2 3QG, England. Email: nmm1at_private Tel.: +44 1223 334761 Fax: +44 1223 334679
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:17 PDT