On Thu, Dec 04, 2003 at 11:17:32AM -0700, Dave wrote: > That is my assumption. The only thing that would give me confidence > that there are no holes would be a common process for connecting raw > input to privileged routines -- a process which is so simple that > everyone can see it is robust. Such a process exists to isolate > different privilege levels in the instruction set of a microprocessor. > It seems like something similar could be done to isolate routines that > run with root privilege.
There are always attempts being made to make the security boundaries in the system as small as possible. It's an ongoing and long-term task, though. Unix systems are very complex beasts. I doubt that an isolated input-validation process would do much to improve security, and it certainly wouldn't give me any confidence at all about the absence of vulnerabilities. The validation required varies enormously from application to application: for instance, that required on data received by sshd over the network has practically nothing in common with that required on cron's saved crontab state. By the time you implemented something general enough to serve the needs of everything that receives user input, even as root, you'd be right back to what we have right now, namely read() and write(). There's no magic bullet in security design, only thoughtfulness and care. If you want some ideas, you might try having a look at the userv package, which provides a facility to help make security boundaries as narrow as possible. Of course, even with this, care is needed to make sure that the data passed over the security boundary is not so complicated as to take you back to square one. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
