Paul Rubin <http://[EMAIL PROTECTED]> writes:
>> > That's not what privilege separation means. It means that the
>> > privileged objects stay secure even when the unprivileged part of the
>> > program is completely controlled by an attacker.
>> In which case, what's "private" got to do with this? The examples I've
>> seen of it don't give you privilege seperation any more than python does.
> If you have a java class instance with a private member that's (say) a
> network socket to a special port, access to the port is controlled
> entirely by that class.
Are you sure? My understanding was that Java's introspection mechanism
could be used to access private variables.
A couple of other things to think about:
Are you sure you want to use the C++ model for privilege separation?
C++'s design doesn't exactly inspire confidence in me. I'd recommend
checking languages that were designed to be OO from scratch, rather
than as extensions or rewrites of other languages. I'd also check
dynamic languages to see if any of them do this - other than PHP,
which apparently adopted the C++ model, and is another language I
wouldn't trust for inspiration.
In static languages, information of this kind is normally attached to
variables. In Python, the only thing a variable knows is the object it
references. So do you want the privilege information attached to the
variable or the object it references? If you attach it to the
variable, you're again making what appears to be a fundamental change
in Python, and possibly invoking serious implementation headaches. If
you attach it to the object, you solve a lot of the problems Pythons
reference model creates, but you also leave open the possibility of
simple assignment changing an attribute.
Finally, another hole to fix/convention to follow to make this work
properly in Python. This one is particularly pernicious, as it allows
code that doesn't reference your class at all to violate the private
variables. Anyone can dynamically add methods to an instance, the
class it belongs to, or to a superclass of that class. This means code
in one place can add a method to a superclass of your class that
clobbers your private variable, which can then be invoked on an
instance of your class to surprise you. So you may have to examine
code that doesn't reference your class at all to find the statement
that is clobbering your private variable.
<mike
--
Mike Meyer <[EMAIL PROTECTED]> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
--
http://mail.python.org/mailman/listinfo/python-list
