the problem with sandboxes is that they are monolithic as is this
discussion of mail - if i have a notion of a compartmentalized system
with users, and access rights (like almost all operating systems from the
late 60s onwards, but not like
simple desk top single user executives as found on many personal
computers today unfortuantely),
then i can have mail agents run scripts, but with the authorities of
the user, perhaps restricted further by some context, and i can then
configure arbitrary rights w.r.t each possible tool that the script
might invoke - some of these can be gathered togethre under the
headings of "file input, output, exectution, creation etc", and others
under the rights of "audio/video/mouse/itneraction with user",
"network i/o to such and such an address (list)", etc
for conveneicnce and expressiveness in the ACL system (other
management tools like user, other, groups etc help scale the task)
and then i can design a set of sensible securioty policies for a site,
and employ an expert to configure things for everyone - typically,
with good systems, defaults and default operating system notions of
user, file permissions, sudo type access etc, will suffice...
iff you start with a decent system;
otherwise, forget it - someone will always find a way to set things up
disastrously wrong, because it will be the only way to get work done
....this is a standad problem with systems that impose all or nothing
security - either they leak like a sive or users find them
unusable...
so the solution is to ditch indecent systems.
In message <[EMAIL PROTECTED]>, Leonid Yegoshin typed
:
>>>From: "James P. Salsman" <[EMAIL PROTECTED]>
>>>
>>>A MUA might ask the console operator for permission to proceed when:
>>>
>>>1. A mail message wants to run a program. (e.g., ECMAscripts.)
>>>
>>>2. An attachment is executable. (Nearly universal practice.)
>>>
>>>3. A program wants to write to a file. (Usually not trapped more
>>>than once per execution if at all.)
>>>
>>>4. A program wants to read your address book. (Does any mail system
>>>that offers this functionality limit it at all?)
>>>
>>>5. A program wants to send mail. (e.g., having MAPI's Send notify
>>>the user and queue the proposed message as a draft instead of sending.)
>>>
>> 6. A program wants to send a file to somewhere. Or any permanently stored
>> information (like cookie but not limited).
>>
>> - Leonid Yegoshin.
>>
cheers
jon
