-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan S. Shapiro wrote: > It is also not confinement if the parent can read the child without the > consent of the child. Therefore it is not confinement at all. >
I have two problems with this statement. a) Every process has been instantiated by /someone/, so every process has a parent. b) i agree with you that this is not confinement, but the parent *may* confine the child by dropping all references to it. a) Whith the kind of confinement you propose, the parent is a constructor (iiuc). The confinement works because the constructor is trusted. So if the user can trust *one* programm running, she can use this program to instantiate confined subsystems for her. b) The question is, if the parent *can* drop all references. If the parent's parent is trusted, of course everything works. If not *and* the parent's parent is able to control the parent, this will not work. So as we do not want a trust hierarchy that is rooted in the admin, somehwere in the hierarchy there has to be a program that its parent cannot control and the user trusts (lets call it the user's shell). This cannot be achieved without *some* trust. In the case of ``static'' accounts, this is the trust in the system installer. In the case of ``dynamic'' accounts this is the trust in the creator of the account, so most probably the system admin. I can't see where constructors change this. - -- - -ness- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEVHhFvD/ijq9JWhsRAqZUAJ9I/d9bL1j0jVy8A472S3xXOsMLMACcCmhG 0lBEATIWChNnxFs+rBHHTgY= =gm6Y -----END PGP SIGNATURE----- _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
