the problem with sandboxes is that they are monolithic as is this
discussion of mail - if i have a notion of a compartmentalized system
with users, and access rights (like almost all operating systems from the
late 60s onwards, but not like
simple desk top single user executives as found on many personal
computers today unfortuantely),
then i can have mail agents run scripts, but with the authorities of
the user, perhaps restricted further by some context, and i can then
configure arbitrary rights w.r.t each possible tool that the script
might invoke - some of these can be gathered togethre under the
headings of "file input, output, exectution, creation etc", and others
under the rights of "audio/video/mouse/itneraction with user",
"network i/o to such and such an address (list)", etc
for conveneicnce and expressiveness in the ACL system (other
management tools like user, other, groups etc help scale the task)
and then i can design a set of sensible securioty policies for a site,
and employ an expert to configure things for everyone - typically,
with good systems, defaults and default operating system notions of
user, file permissions, sudo type access etc, will suffice...
iff you start with a decent system;
otherwise, forget it - someone will always find a way to set things up
disastrously wrong, because it will be the only way to get work done
....this is a standad problem with systems that impose all or nothing
security - either they leak like a sive or users find them
unusable...
so the solution is to ditch indecent systems.
In message
<200005112238(_dot_)PAA00950(_at_)leonid(_dot_)genesyslab(_dot_)com>, Leonid
Yegoshin typed
:
From: "James P. Salsman" <bovik(_at_)best(_dot_)com>
A MUA might ask the console operator for permission to proceed when:
1. A mail message wants to run a program. (e.g., ECMAscripts.)
2. An attachment is executable. (Nearly universal practice.)
3. A program wants to write to a file. (Usually not trapped more
than once per execution if at all.)
4. A program wants to read your address book. (Does any mail system
that offers this functionality limit it at all?)
5. A program wants to send mail. (e.g., having MAPI's Send notify
the user and queue the proposed message as a draft instead of sending.)
6. A program wants to send a file to somewhere. Or any permanently stored
information (like cookie but not limited).
- Leonid Yegoshin.
cheers
jon