Shared address space and trust and what is a "user" [Re: Our Manifesto (Please Read)]

Chris Bitmead uid(x22068) Chris.Bitmead@Alcatel.com.au
Thu, 08 May 1997 11:07:05 +1000


>> The problem I can see with that, is that since all processes in a
>> lispOS are "trusted", and share the same address space, then having
>> native binaries opens the way for hackers to write rogue programs.
>> 
>> Or maybe something can be done with trusted keys to ensure a
>> particular binary is trusted???
>> 
>
>This again brings up a topic that came up briefly with Mike in private mail. 
>
>In today's Internet environment, you really can't run services on a system in
>which the server code has access to the full system because the risk of 
>security bugs is so great.  

Well that's the same old question of what you should run as root I
guess??

>If LispMs had become as popular as Unix systems 
>have become, the problem with viruses and hackers would be far worse than it 
>it.

I don't see why. Can you expand on this?

>I'm entirely underqualified to solve the issues involved, but someone
>needs to think about how we either isolate different users in the same
>address space or how we pass objects between processes running as
>different users.

I think the whole issue of same/different address spaces, how the POS
fits in with the virtual memory, and generally the whole virtual
memory design needs quite a lot of thought. This is whether or not the
system is implemented on top of UNIX or from the ground up.

There are lots of options on how to do this.

>Also, what exactly is a "user" in a LispOS?  In the mail I sent about the 
>security needs of an SMTP server, I mentioned running .forward-style hooks as 
>the receiving user rather than as something like "root".  What does that really 
>mean in a LispOS?

I think that probably a user is pretty much the same as it is on UNIX,
unless you can see a better solution.