maemo.org - Talk - View Single Post

meanwhile	2008-04-14 , 22:46
Posts: 66 \| Thanked: 17 times \| Joined on Apr 2008	#28

Originally Posted by Benson

Sheesh. Running as root; what do you propose to stop a process running as root?

How about "Only allowing a process to run as root if installed with specific root permission by the user"? It's not rocket science. Very few apps need this.

Kernel-space or hardware only. And kernel-space is hard, since you can flash the kernel and reboot the device as root.

Sorry: the first clause isn't a sentence, so I can't understand what you meant. No criticism: typos happen.

Windows firewalls are not as effective as you might think, when applied to a system with a real security system, but with a crazy nut installing random things.

That's opinion, your argument is..? Anyway, my concern isn't a "crazy nut" but a moderately sensible user who isn't a linux developer, and who wants to install an independent PIM on his Nit.

In Windows, many applications can be installed without administrative privileges. (Which is not the way to go; even if trojans can't automatically get root, they can still compromise privacy, destroy data, and use exploits (local exploits, of course) to get root.)

What this means is that the firewall isn't perfect but that it greatly increases the cost of a successful attack. Perfect would be nice, but in the real world I'll settle for good locks and a decent alarm over nothing, nada, zip or bupkis.

Sandbox execution, otoh, can make doing some things bloody near impossible. It works great for daemons with narrowly defined jobs; it works great for nice little applications. It doesn't work for, say, updating the kernel

That's the point. A sandbox lets me run 99% of apps safely. Conveniently, the 1% it can't handle are those that I expect to get from the platform owner - OS updates.

it won't let me run I can get from a trusted source.
or anything else outside the sandboxes.

No, as I said users could have the option of non-sandbox apps. But with a decent design they would be rarely needed - certainly not for a PIM, a media player (given a decent api), or the other apps most users care about.

So unless you want to completely close the package management system, or require only Nokia signed OS packages, you're still in the same mess.

This is doubly wrong.

Firstly, installing OS's should be an usual procedure that can have all sorts of special warnings and affordances (eg turning off the machine and following a special reboot procedure) to cue the user that he is performing an usual task and get him to read and think about warnings. I doubt many users could be persuaded to load a non Noka OS even without security warnings, but with them - forget it. Not a practical method of attack.

Secondly, ***most potential users would be willing to give non-Nokia OSes to get better security!*** Otoh, I can't count on Nokia for decent apps - not even an ebook reader or a PIM.

The trouble is giving a (clueless) user root, even for the limited purpose of installing packages. There's nothing that can (or should) stop a determined sysadmin from hosing a system, or a careless one from doing it by accident.

This is just irrelevant to how a sandbox model works.

The current security model (ie none) is a fairly good explanation why the Nit hasn't been picked up for vertical applications and other corporate development.

Anyway, I suspect that Nokia will be ditching Maemo/ITOS for Android (which does use a sandboxed virtual machine) if they continue updating firmware after the next release. It's hard to see why they'd carry on with Maemo after this point.

Quote & Reply |