At 1:30 PM -0400 8/17/04, Felix Gallo wrote:
Dan writes:
 Anyway, there *is* a threefold plan, involving quotas,
 privileges/capabilities, and restricted embedding environments.

If there's a link out there, I must've missed it. Is there one?

There isn't. I'll go fix that with PDD 18, Security and Quotas. Might be a day or two until it hits the repository.


> > clock time (ulimit style)

This'd be a per-interpreter, per-user quota.

Depending on how 'interpreter' is to be, ah, interpreted, that may be too large a grain -- a language may want to have a set-up period during which the rules don't apply, and also a thread (for monitoring purposes, or other) to which the rules apply or don't. e.g., [...] If by interpreter you mean thread then I'm with you, though. Or if each thread has-a new interpreter, that also is the good stuff.

Yep, per-interpreter means per-thread. Each thread gets an interpreter. (Logically, at least. There'll only ever be one OS thread in an interpreter at any one time, though I suppose it's possible an interpreter could move from one thread to another. I'd rather not, though)


Also quota and priv checking can be enabled and (if you have sufficient privs) disabled on the fly, so you can do setup and then enable checking, or disable checking when you're running privileged code.

> [...]
 Quotas.
 [...]
 Privileges
 [...]
 Also privileges.
 [...]
 Privs, possibly quotas and the embedding environment for IO and event
 type things.

You've got it covered. So where's the spec?

In my brain. I'm fixing that, though, as there's not that much room. :)

> >Is anyone aware of any reason why the straightforward approach --
 >[...] would not be the best solution?

Mainly because it's a bit too restrictive.

Man, I thought I had a bad case of second systems effect...but you're working on, like, ninth. I genuflect.

I figure if we're going to steal the system, we might as well steal a mature one. :-P


> What I'm planning on is a VMS-style quota, privilege, and identifier
system.

Pagan heretic -- you shall burn in the purifying flames of RSTS/E!

Mmmm, RSTS/E. And BASIC/PLUS 2.6. Now *those* were the days. Now, where did I put my overlaying linker...


>(Or, rather, an extendable privilege system where extra privs
 can be defined and set/reset) Nothing too fancy, but expressive
 enough to allow for reasonable control over restricted interpreters.

Can you provide a short example of what 'extra privs can be defined and set/reset' means? I haven't touched VMS in about two decades.

VMS's (and yes, for the grammar wonks, that apostrophe is actually correct) privilege system has 32 separate privs, each conveniently fitting in a bit. They govern things like being able to exceed quotas, ignoring protection codes on things in your group or on everything, do physical IO, or ignore privileges. 32 of the things since they conveniently fit in a word.


It also has a named capability thing, where you can tag things (executables, shared libraries, files, system objects) with an identifier, then give those identifiers to users--basically a filesystem ACL scheme extended to non-file objects. (It's used for the filesystem ACL setup, FWIW, though generally you don't use the same identifier for file control that you do for non-file objects)

Having the two schemes split's one of those historical things -- what I'd like to do is just be able to have an unbounded number of privilege bits and add to them at runtime as need be. That way instead of faking privs with identifiers you just extended the list of available privs.

The VMS priv system also has two (well, three, but the third's a default used when processes are created) sets of privs per process -- the current and the allowed privs. Current privs are what you can do right now, while the allowed are the privs you can enable. You'll often find VMS accounts with a hefty set of allowed privs but a small set of current privs (so you *can* kill the world, but won't by default), and sometimes you'll have accounts that have current privs that aren't in the allowed set (so the priv is enabled until it is dropped, and once dropped will never come back) which is useful for initialization that needs extra privs temporarily.

There are also privileged subs, and automatic priv checking for subs, but that's all extra. I really ought to start writing the spec so I can pass it on to people who actually know what they're doing to rip to shreds...
--
Dan


--------------------------------------it's like this-------------------
Dan Sugalski                          even samurai
[EMAIL PROTECTED]                         have teddy bears and even
                                      teddy bears get drunk

Reply via email to