From: Qiantan Hong <qhong@mit.edu>
To: Christine Lemmer-Webber <cwebber@dustycloud.org>
Cc: "emacs-devel@gnu.org" <emacs-devel@gnu.org>
Subject: Re: Access control in Emacs?
Date: Wed, 15 Sep 2021 23:16:03 +0000 [thread overview]
Message-ID: <00A34915-997B-463F-9898-5B6277724497@mit.edu> (raw)
In-Reply-To: <87h7en10sc.fsf@dustycloud.org>
Hi Christine,
> However, the path forward is *not* ACLs. These are a dangerous and
> error-prone direction:
>
> http://waterken.sourceforge.net/aclsdont/current.pdf
>
> Thankfully, we have much of the primitives to go in a safer
> direction... object capability security, which is a much better
> direction, is easily modeled on top of lexically scoped lisps, of which
> emacs lisp increasingly is supportive. See the following:
>
> http://mumble.net/~jar/pubs/secureos/secureos.html
Thanks for the references! Those are very informative,
and I’m recently thinking how to bring ocaps to Emacs,
however to avoid reinventing stuff (what’s worse, reinventing in a wrong way)
I think discussion with someone more sophisticated at security will be helpful.
So, here’s what I’m thinking:
To my understanding, to make a system capability-secure
one basically just need to eliminate or hide all ambient authority.
(One usually also require ways to store and transfer capabilities
but we have lambda and closure, so no need worrying about that).
One apparent ubiquitous ambient authority in Emacs is name resolutions
to files in FS, buffers, processes etc.
This is an easy fix. We can conveniently attach a text property to
the name strings as a proof of capability, and under capability-safe evaluation
mode all name resolution procedures check this text property.
Global/special variables are a more contrived case.
Do they count as ambient authority and also must be “fixed”?
How to do that?
One way I could think of is to have separate “sandboxed global environment”
(we can hack it together by using a different obarray).
Then, to make capability-secure code to possibly affect the “real” global environment
we have to do some “linking” between the “sandboxed global environment” and
the “real” one. Is this a reasonable/managable thing to do?
“Sandbox” doesn’t sound like a good word.
\bAlso in such cases it might be tedious to figure out the right set of variables to link,
especially if someone linked only part of the necessary variables
the behavior could become unpredictable (in such case the sandboxed code
and the ambient code “diverge” on values of some variables that ought to be
shared but haven’t been).
After all, does the general idea sketched above
(capability-proof name string and sandboxed global environment)
sounds like reasonable security model?
What’re your thoughts on these specific issues mentioned above?
Best,
Qiantan
next prev parent reply other threads:[~2021-09-15 23:16 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 12:49 Access control in Emacs? Qiantan Hong
2021-09-14 14:09 ` Phil Sainty
2021-09-14 14:28 ` dick
2021-09-14 15:05 ` Qiantan Hong
2021-09-14 15:52 ` dick
2021-09-14 16:02 ` Stefan Kangas
2021-09-14 14:49 ` Stefan Monnier
2021-09-15 20:11 ` Richard Stallman
2021-09-15 20:21 ` Robin Tarsiger
2021-09-14 18:13 ` Christine Lemmer-Webber
2021-09-14 19:59 ` tomas
2021-09-15 23:16 ` Qiantan Hong [this message]
2021-09-16 2:16 ` Christine Lemmer-Webber
2021-09-18 0:29 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00A34915-997B-463F-9898-5B6277724497@mit.edu \
--to=qhong@mit.edu \
--cc=cwebber@dustycloud.org \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.