| |
| ▲ | jandrese 3 days ago | parent | next [-] | | The problem is how do you set up those permissions without a god object? How do you fix ones that are broken on a running system? Ultimately the security systems that introduce high complexity in the name of fine grain permission controls end up being the most fragile and hardest to verify. People get stuff wrong then break it further trying to get their job done. The better system is sometimes the one that doesn’t have all of the features but is comprehensible to humans. | | |
| ▲ | charcircuit 3 days ago | parent | next [-] | | >how do you set up those permissions without a god object Let the operating system define default granted permissions for OS apps. Have the OS let the user grant permissions at install / runtime for apps. | | |
| ▲ | theamk 3 days ago | parent | next [-] | | If an app requires a permission, how does OS know that it's OK to grant it? For example, I want to backup my system, so I install app which needs a permission called "bypass any file access control and let me read every file". How does OS know it's legitimate and not malware trying to steal data? It could be "this requires special digital signature from OS manufacturer" -> then the private key of this digital signature is a "god object" It could be "this requires confirmation from the physically present user" -> then you basically have passwordless sudo It could be "this requires users pin/password/biometrics" -> then you have regular sudo Either way, there is some source of authority in here, even if it's called "root key" or "user pin" instead of "root account". | | |
| ▲ | everforward 2 days ago | parent | next [-] | | Let me preface this by saying it is wildly impractical, but you could boot into a separate, minimal OS that mounts your primary OS disk and manages those permissions. For an extra layer, have the “god mode OS” installed on physically read-only media, and mount the primary OS in a no-exec mode. Regular OS can’t modify permissions, and the thing that can modify permissions can’t be modified. It’s too clunky for home use, but could probably be used for things like VM images (where the “god mode OS” is the image builder, and changing permissions would require rebuilding the image and redeploying). | | |
| ▲ | theamk a day ago | parent [-] | | Some BSDs have concept of "securelevel" - a global setting that could be used to permanently put the system up into the mode which restricts certain operations, like writing to raw disks or truncating logs. The idea is if you want to modify the the system, you reboot into single-user mode and do what you need. It does not start up ssh / networking by default, so it is accessible to local console only. And of course plenty of smaller MCUs (used in IoT devices) can be locked down to prevent any sort of writing to program memory - you need an external programming adapter to update the code. This is the ultimate security in some sense - no matter what kinds of bugs you have, a power cycle will always restore system into pristine state (*unless there is a bug in settings parser). |
| |
| ▲ | charcircuit 3 days ago | parent | prev [-] | | >then the private key of this digital signature is a "god object" You could instead require the app to be part of the OS. The next gotcha would from you I imagine is that the build farm for the next OS update is a god object and at that point I think this is a meaningless tangent. I'll concede and say you have to trust your OS creator. But you always have to trust your OS creator for any OS. >then you basically have passwordless sudo If sudo couldn't be used from other programs / she'll scripts and doesn't give access to a god account, but instead did simple things like let you use ping, then that seems fine to me. But why require people to manually wrap programs when it could be handled automatically. >Either way, there is some source of authority in here Sure, but it's a system that's much better than sudo. | | |
| ▲ | theamk 2 days ago | parent | next [-] | | > the build farm for the next OS update is a god object This is a very interesting question! It may sound meaningless to you, but modifying firmware images is pretty common when trying to modify locked-down hardware. As in, "I'll unpack the firmware image, set root password and enable telnet, then flash it back". So no, the build farm is not a god object. Whatever controls firmware updates is. Can any app initiate it? Or does it need user's password? Or maybe physical presence? Or a private key that only select people have? > If sudo couldn't be used from other programs / she'll scripts and doesn't give access to a god account.. But why require people to manually wrap programs.. So, you mean like what "polkit"? This is what systemd is doing - instead of requiring "sudo", commands like "systemctl start SOMETHING" will handle privilege escalation themselves. For example on my computer, running this in terminal pops-up interactive dialog asking for my password. In theory, you can have the whole suite of programs - "secure-cp", "secure-mv", "secure-edit" (see also: "sudoedit"), "secure-find", etc... But it seems pretty wasteful, no? Sure, most common actions (installing/removing apps, configuring networks) can get its own nice privilege-escalating wrappers, but there are many advanced tasks that user can do, and it's much easier to make (and audit) a single "sudo" than hundreds of random scripts. (Unless you want to have a fully locked-down system where the only OS creator can decide which privileged actions are allowed. Those things exists and are pretty popular: Android and iOS. They are also only usable for a very specific purposes, basically as a remote terminals to server machines running unrestricted OSes without such limitations) | |
| ▲ | soraminazuki 3 days ago | parent | prev [-] | | > You could instead require the app to be part of the OS. That almost sounds like you're advocating for the abolishment of third party or user-made apps that can make changes to the system without the approval of the manufacturer. | | |
| ▲ | charcircuit 3 days ago | parent [-] | | This is about being able to read any file on the system including things like the user's bank authentication tokens. No 3rd party developers should be able to read bank authentication tokens. The OS should create a safer API for 3rd parties to use for the use case they want. | | |
| ▲ | _flux 3 days ago | parent [-] | | Doesn't this just move the bucket: which processes should the OS grant access to that API? In any case, if the purpose is to make a backup of the system, it seems the possibility to read all and every file as original as possible seems rather critical, in particular if we want to take advantage of e.g. content-based addressing -based deduplication in the backup application. And we in any case want to restore that backup to an empty computer, so there really are no places to hide the encryption keys in such a way that they cannot be read from the backup. | | |
| ▲ | charcircuit 2 days ago | parent [-] | | You don't need to backup every file. It's a reasonable compromise to require users to login to their bank again when switching to a new computer. |
|
|
|
|
| |
| ▲ | esseph 3 days ago | parent | prev [-] | | > Letting the operating system define granted permission for OS apps. We're heading that direction right now, and it will be the OS vendors who decide what programs you have permissions to run and which ones you can't. That's a concept that HN seems to detest. |
| |
| ▲ | jjmarr 3 days ago | parent | prev [-] | | Selinux and AppArmor? Android has it figured out too. | | |
| ▲ | jandrese 3 days ago | parent [-] | | Have you ever tried to fix an application that was getting denied based on SELinux policies? It's a cryptic nightmare. You run a tool that gives you some magic string and hope that it works because nobody really understands what's going on. If that doesn't work you're in a world of pain. Almost as bad as Microsoft's ACLs. |
|
| |
| ▲ | Elucalidavah 3 days ago | parent | prev | next [-] | | If you have a privilege to replace the kernel or bootloader, you effectively have all privileges on that system. Therefore, there's no need to complicate the access limitations when you get full access anyway. | |
| ▲ | esseph 3 days ago | parent | prev | next [-] | | You should read over NIST 800-53 AC-2 and AC-6. They go over why privileged accounts are important, why they are used, and how they protect users and organizations. JIT access should be the goal. Scroll down to: Implementation Guidance https://csf.tools/reference/cloud-controls-matrix/v4-0/iam/i... | | |
| ▲ | charcircuit 3 days ago | parent [-] | | >JIT access should be the goal. Individual privileges for specific things should be given access to instead of giving god access to a system. | | |
| ▲ | esseph 3 days ago | parent [-] | | I hear what you are saying but many, many people who have dedicated their life to this topic disagree with you. Onions have layers for a reason. RBAC by nature requires a Creator. ZeroTrust networks still require gateways. | | |
| ▲ | charcircuit 2 days ago | parent [-] | | I'm not saying there can't be an admin who can create roles, or do some extra authentication to gain that privilege. I am saying that it shouldn't require assuming an all powerful user to do it. You should be able to do it from your actual account. This is good for keeping accurate records too since all actions are done by the users themselves. Yes, technically sudo can be logged, but it's bypassable by starting a shell. | | |
| ▲ | esseph 2 days ago | parent [-] | | Elevated credentials for said users segment access while still allowing the same user to access more administrative function. Proper group / sudoers mappings can go a long way, but you still want that administrative break between access levels. |
|
|
|
| |
| ▲ | nkrisc 3 days ago | parent | prev | next [-] | | I own the computer. The least privilege I have encompasses every privilege. | | |
| ▲ | charcircuit 3 days ago | parent | next [-] | | You could own a microwave, but there doesn't have to be a button that makes it run with the door open. The UI of devices doesn't let just anything happen. Similarly an operating system doesn't need to make accessible a way to do everything to the user. | | |
| ▲ | inkyoto 3 days ago | parent | next [-] | | > You could own a microwave, but there doesn't have to be a button that makes it run with the door open. The UI of devices doesn't let just anything happen. And where is the UI capability that prevents microwave users from putting liquids (e.g. grape juice) that generate plasma storms inside the microwave and often result in fires? Or, as a bonus, crinkled foil. To state the matter bluntly – the entire diatribe concerning the system’s role in defining capabilities is as constructive as insisting that every computing device and appliance on the planet must implement B2-level RBAC and capability-based controls – an argument so unmoored from practical reality that one wonders whether its proponent has ever been burdened by implementation. | | |
| ▲ | charcircuit 3 days ago | parent [-] | | The UI is missing because the law doesn't require it. That's why it's possible to by tablesaws without a SawStop like safety mechanism despite it being superior to have (ignoring price). Some people will choose the cheaper and less safe option because they don't value safety as much. |
| |
| ▲ | nkrisc 3 days ago | parent | prev | next [-] | | > Similarly an operating system doesn't need to make accessible a way to do everything to the user. Then who is it available to, if not me, the owner of the computer? What if the operating system isn't doing the things it should that I don't have access to? Do I have to bring it to someone and beg them to fix the computer for me? | |
| ▲ | esseph 3 days ago | parent | prev | next [-] | | "an operating system doesn't need to make accessible a way to do everything to the user" Microsoft and Apple both seem to think this way. Questionable results. | |
| ▲ | crabmusket 3 days ago | parent | prev [-] | | I instinctually agree with nkrisc, but this is an interesting line of thought. What's an example of something that nobody should be allowed to do e.g. on a laptop? If I buy a system with OS stuff set up from the get-go. What abilities do you withdraw from the user? | | |
| |
| ▲ | davexunit 3 days ago | parent | prev [-] | | But do you want your web browser to have the privilege to read your SSH private key? That's the risk of running programs "as you". |
| |
| ▲ | iberator 2 days ago | parent | prev | next [-] | | There has been no such operating system in the past 60 years. All systems have root/admin/god accounts | |
| ▲ | cyberax 3 days ago | parent | prev [-] | | This sounds good in theory, but in practice it doesn't work. You always end up with an object that has all the privileges. | | |
|
