Dan writes: > Anyway, there *is* a threefold plan, involving quotas, > privileges/capabilities, and restricted embedding environments.
If there's a link out there, I must've missed it. Is there one? > > clock time (ulimit style) > > This'd be a per-interpreter, per-user quota. Depending on how 'interpreter' is to be, ah, interpreted, that may be too large a grain -- a language may want to have a set-up period during which the rules don't apply, and also a thread (for monitoring purposes, or other) to which the rules apply or don't. e.g., #!//googlestorage/programs/concurrent_basic.08012005 10 ? "HELLO WORLD! NOW DOING SETUP" 20 USE MODULE IRC::SERVER 30 USE REMOTE ALLOW PUBLIC :LOW-QUOTA TO GOSUB 60 IN PARALLEL 40 GOSUB IRC::SERVER::SETUP " counts against perms/quota in this interp? 50 GOTO DO_INTERESTING_STUFF " does not return; counts against perms/quota? 60 ARGUMENT X 70 PRINT X TO REMOTES 80 RETURN If by interpreter you mean thread then I'm with you, though. Or if each thread has-a new interpreter, that also is the good stuff. > [...] > Quotas. > [...] > Privileges > [...] > Also privileges. > [...] > Privs, possibly quotas and the embedding environment for IO and event > type things. You've got it covered. So where's the spec? > >Is anyone aware of any reason why the straightforward approach -- > >[...] would not be the best solution? > > Mainly because it's a bit too restrictive. Man, I thought I had a bad case of second systems effect...but you're working on, like, ninth. I genuflect. > What I'm planning on is a VMS-style quota, privilege, and identifier > system. Pagan heretic -- you shall burn in the purifying flames of RSTS/E! >(Or, rather, an extendable privilege system where extra privs > can be defined and set/reset) Nothing too fancy, but expressive > enough to allow for reasonable control over restricted interpreters. Can you provide a short example of what 'extra privs can be defined and set/reset' means? I haven't touched VMS in about two decades. Felix