X/smtp servers (was Re: TrustedBSD Extensions Project)

jont at us.ibm.com jont at us.ibm.com
Wed Apr 12 18:44:41 GMT 2000 


Somone purporting to be Richard Offer wrote:

* $ from robert at cyrus.watson.org at "11-Apr: 8:07pm" | sed "1,$s/^/* /"
*
*
* The mandatory access control components of TrustedBSD, as with other
* trusted operating systems, are intended to address the subject and object
* labeling requirements.  Specifically, all user data objects, and
subjects,
* are assigned security labels which limit the types of accesses that may
be
* performed.

| What are you intending to do for X ? Or are you only interested in the
| server problem space ?

I don't know that even a commercial X has got past CMW.

One obvious solution is to copy MS and use a different window stack/list
for the trusted path (thats why the three fingered salute brings up the
control dialog on an otherwise empty screen - its a separate window list).

One way to do this easily would seem to be to leverage the GGI project
(www.ggi-project.org) and use its in-kernel driver (supposed to be safer
than the X in-kernel driver) and to run X servers on top of GGI.
While there is an X server that runs on GGI already, the GGI people
haven't yet got trusted path and secure attention key facilities.
[ I asked about a month ago. They do not have a multiplexor/proxy server
as a high priority - needed to multiplex mmap'd framebuffer. ]

This same problem applies to all large complex user mode servers, for
example http+cgi, nntp, email, databases.

For email a partial solution is to use a MTA that supports 'less' privilege
such as qmail, mmdf, or postfix (and others).
So I see adding extensive audit to sendmail as counter-productive, it might
encourage people to mistakenly trust it.

- JonT

---
Jon Tidswell
Advanced OS Technology Group / Sawmill Linux Project
IBM TJ Watson Research Center 30 Saw Mill River Road, Hawthorne, N.Y. 10532

Email: jont at us.ibm.com   Voice: +1 914 784 7550


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list