From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,b95a522100671708 X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news1.google.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Nick Roberts Newsgroups: comp.lang.ada Subject: Re: For the AdaOS folks Date: Wed, 5 Jan 2005 00:02:46 +0000 Message-ID: References: <1PTAd.1218$0y4.421@read1.cgocable.net> <1vemlj8wqr9ea$.qyecszhsmtqa$.dlg@40tude.net> <52fBd.42256$nV.1324414@news20.bellglobal.com> <_gHBd.14666$0y4.10314@read1.cgocable.net> <8rz51zshvp8k$.gvir0kpiedzk.dlg@40tude.net> <1cza5d5x7snmd.lr7wfm9fdsvd.dlg@40tude.net> <1hwsfqc0hx63i$.1dl0hkengaf6i$.dlg@40tude.net> <1klgtuv6sbypt.1wlc9u1ixz7ua$.dlg@40tude.net> <24hf82mgtexu$.c07xlxejxm1c$.dlg@40tude.net> Content-Type: text/plain; charset=us-ascii X-Trace: individual.net kBC9Xj9DSBhzh/4kY5mmxQYENTkEwrlVfI7nVteDp9A9Bqq58= X-Orig-Path: not-for-mail User-Agent: Gemini/1.45d (Qt/3.3.2) (Windows-XP) Xref: g2news1.google.com comp.lang.ada:7451 Date: 2005-01-05T00:02:46+00:00 List-Id: "Warren W. Gay VE3WWG" wrote: > Dmitry A. Kazakov wrote: > > But the only need in firewall is the policy of trusting behind it. > > That is all I need to keep you from messing with my files ;-) I think I side with Dmitry on this one. When reading a variety of authoritative documents, papers, and books on the subject of computer security, one of the basic principles they all espouse is that of 'minimum necessary privilege'. In other words, access is denied by default, of every object (file, database table, etc.) to every subject (person, program). Access is granted between an object and a subject only when these is a specific need. Okay, I think this principle needs to be taken as a guideline, rather than a strict rule. It's not likely to be practical on a very fine-grained, highly dynamic level. Nevertheless, I intend to make the security mechanisms capable of supporting this principle, to a reasonable degree, and to make the default security policies implement it. In practice, that means that, for example, when a user creates a new file (and saves it), the new file is, by default, inaccessible to (and invisible to) all other unprivileged users. By the same token, I intend to make it easy to deliberately share things. For example, a user can create a kind of directory or folder called a 'file group', share the group with others users (by simple drag-and-drop), and then make a file part of the group (also by simple drag-and-drop). The other users can then see and access the file. The group can be made a 'read-only' type or a 'full access' type. When somebody uses an internet service in AdaOS, they do so with a certain 'role' of a certain user. This restricts their privileges (to that role of that user). If that role is not permitted to access a file, the user of the internet service is not, either. Of course, typically, things will be arranged to permit minimum necessary access by internet services. For example, a web server will be permitted to access the files (and other data) which make up a web site, but nothing else. The necessity for a separate firewall seems to be obviated by this arrangement. The whole system is acting as a big firewall in itself. In particular, AdaOS will not have any holes or back doors in its security. The security mechanisms will be hermetically sealed. (This may be somewhat in contrast to other operating systems.) -- Nick Roberts