Re: Access control in Emacs?

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Qiantan Hong <qhong@mit.edu>
To: Christine Lemmer-Webber <cwebber@dustycloud.org>
Cc: "emacs-devel@gnu.org" <emacs-devel@gnu.org>
Subject: Re: Access control in Emacs?
Date: Wed, 15 Sep 2021 23:16:03 +0000	[thread overview]
Message-ID: <00A34915-997B-463F-9898-5B6277724497@mit.edu> (raw)
In-Reply-To: <87h7en10sc.fsf@dustycloud.org>

Hi Christine,

> However, the path forward is *not* ACLs.  These are a dangerous and
> error-prone direction:
> 
>  http://waterken.sourceforge.net/aclsdont/current.pdf
> 
> Thankfully, we have much of the primitives to go in a safer
> direction... object capability security, which is a much better
> direction, is easily modeled on top of lexically scoped lisps, of which
> emacs lisp increasingly is supportive.  See the following:
> 
>  http://mumble.net/~jar/pubs/secureos/secureos.html

Thanks for the references! Those are very informative,
and I’m recently thinking how to bring ocaps to Emacs,
however to avoid reinventing stuff (what’s worse, reinventing in a wrong way)
I think discussion with someone more sophisticated at security will be helpful.
So, here’s what I’m thinking:

To my understanding, to make a system capability-secure
one basically just need to eliminate or hide all ambient authority.
(One usually also require ways to store and transfer capabilities
but we have lambda and closure, so no need worrying about that).

One apparent ubiquitous ambient authority in Emacs is name resolutions
to files in FS, buffers, processes etc. 
This is an easy fix. We can conveniently attach a text property to
the name strings as a proof of capability, and under capability-safe evaluation
mode all name resolution procedures check this text property.

Global/special variables are a more contrived case.
Do they count as ambient authority and also must be “fixed”?
How to do that?
One way I could think of is to have separate “sandboxed global environment”
(we can hack it together by using a different obarray).
Then, to make capability-secure code to possibly affect the “real” global environment
we have to do some “linking” between the “sandboxed global environment” and 
the “real” one. Is this a reasonable/managable thing to do?
“Sandbox” doesn’t sound like a good word.
\bAlso in such cases it might be tedious to figure out the right set of variables to link,
especially if someone linked only part of the necessary variables 
the behavior could become unpredictable (in such case the sandboxed code
and the ambient code “diverge” on values of some variables that ought to be
shared but haven’t been).

After all, does the general idea sketched above 
(capability-proof name string and sandboxed global environment)
sounds like reasonable security model?
What’re your thoughts on these specific issues mentioned above?

Best,
Qiantan

next prev parent reply	other threads:[~2021-09-15 23:16 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-14 12:49 Access control in Emacs? Qiantan Hong
2021-09-14 14:09 ` Phil Sainty
2021-09-14 14:28 ` dick
2021-09-14 15:05   ` Qiantan Hong
2021-09-14 15:52     ` dick
2021-09-14 16:02       ` Stefan Kangas
2021-09-14 14:49 ` Stefan Monnier
2021-09-15 20:11   ` Richard Stallman
2021-09-15 20:21   ` Robin Tarsiger
2021-09-14 18:13 ` Christine Lemmer-Webber
2021-09-14 19:59   ` tomas
2021-09-15 23:16   ` Qiantan Hong [this message]
2021-09-16  2:16     ` Christine Lemmer-Webber
2021-09-18  0:29       ` Richard Stallman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00A34915-997B-463F-9898-5B6277724497@mit.edu \
    --to=qhong@mit.edu \
    --cc=cwebber@dustycloud.org \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).