From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,55958fd991db66fe X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2002-09-13 12:55:32 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!newsmi-us.news.garr.it!newsmi-eu.news.garr.it!NewsITBone-GARR!fu-berlin.de!uni-berlin.de!pc-62-31-50-169-cr.blueyonder.co.UK!not-for-mail From: nickroberts@blueyonder.co.uk (Nick Roberts) Newsgroups: comp.lang.ada Subject: Re: Advantage of XML based GUI? (was Re: Ada-inspired OS/Language) Date: Fri, 13 Sep 2002 19:55:58 GMT Organization: AdaOS Message-ID: <3d823132.1089638283@news.cis.dfn.de> References: <4519e058.0209101828.cb5ff85@posting.google.com> <3d7f9d3f.920665532@news.cis.dfn.de> <3d80b566.992395741@news.cis.dfn.de> <3d813a2b.1026389832@news.cis.dfn.de> NNTP-Posting-Host: pc-62-31-50-169-cr.blueyonder.co.uk (62.31.50.169) X-Trace: fu-berlin.de 1031946930 1135554 62.31.50.169 (16 [25716]) X-Newsreader: Forte Free Agent 1.21/32.243 Xref: archiver1.google.com comp.lang.ada:28952 Date: 2002-09-13T19:55:58+00:00 List-Id: On Fri, 13 Sep 2002 08:24:44 +0000 (UTC), Preben Randhol strongly typed: >On Fri, 13 Sep 2002 01:53:42 GMT, Nick Roberts wrote: >>>I hope you are thinking of doing it the UNIX way. I mean that the user >>>does not have root/administrator privileges and that there is only one >>>root superuser which is not used unless when one needs to install >>>software. >> >> AdaOS will be a fully object oriented OS, and its design is not closely >> related to any of the Unixen. I am considering the various security schemes >> offered by CORBA at the moment. I may well choose to enhance these with >> many further facilities. > >I was only thinking in the respect of how you define users. > >> The security mechanisms of AdaOS will be built into each object (class), >> and will be tailored to the specific needs of that object (class); this is >> a considerably more sophisticated approach than any isomorphic OS can >> offer. > >So if somebody runs a program that contains a virus of some kind he will >not deleting the hard disc for example? The reason for my question was >that one can in Linux choose to login as root all the time when one has >ones own machine, but this is utterly stupid. The reason is that if you >run a rouge program it will have access to all the disc and can do >anything as it would be run under superuser priveliges. Therefore one >makes a normal user and uses this all the time and only use the >superuser when one need to install software. In Windows they put the >superuser priveliges on one of the users... That's why I'm asking. In simple terms, we will take steps to ensure that this sort of this cannot happen in standard AdaOS installations. For example, when a program is downloaded from the Internet and executed, it will be executed with an 'authority' that is very limited (certainly disallowing reformatting the hard disk ;-) If that program tries to access an object it (it's authority) does not have permission to access, the user will be asked whether to grant that access; the user can say "yes" (in which case the permission is effectively added to the authority) or "no". Objects will have security 'groups', to make this process a little less laborious. In AdaOS, when a user logs on, the authentication program (called "Quis") grants him or her a set of authorities, by the expedient of running a representative (avatar) program, such as "Jumbo" (GUI Session Manager), which has been granted those authorities. It is these authorities which carry security rights and information. Whenever the program accesses another object, it cites an authority; it is this authority that is used by the object to check the validity of the access (and in any auditing log it may make). Each machine will have one special user, the 'workstation administrator', who is granted an authority that permits full access to every object in or created by the workstation. This will include, for example, the hard disk (direct access to it). However, every user will also be able (and encouraged) to define multiple 'roles' for himself or herself. Each role will define which authorities to use in conjunction with which objects and which types of access, and a set of authorities to grant. When the user runs a program, they specify a role, and this controls the authorities granted to the program, and the default ways in which it uses them to access objects. Thus, a user could have a role "Workstation Administrator", as well as other roles such as "Idle Web Wanderer". "Workstation Administrator" may grant the authority that permits reformatting of the hard disk. Probably "Idle Web Wanderer" will not. So, by citing the role "Workstation Administrator" only when necessary, the user can help protect himself from doing something disastrous. -- Nick Roberts