From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: [9fans] Inferno plug-in security MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: From: "Anssi Porttikivi" To: <9fans@cse.psu.edu> Date: Wed, 20 Jun 2001 15:01:05 +0300 Topicbox-Message-UUID: bdff9ca6-eac9-11e9-9e20-41e7f4b1d025 wrote in message news:<20010619171302.3531519A05@mail.cse.psu.edu>... > //the basic idea in all Plan 9 and Inferno is, that even network connections > //are services offered by directories which are called "file systems" >=20 ... >different users have different permissions to different > things, right? we can tell these users are different people because they have a > certain key/passwd/response. without signing on a dis module, we face two > problems, both of which exist in any system with no authentication... Certainly, you are right. But the first and easy step for Inferno plug-in security is to let the Web browser user decide, what "objects" are bound to the name space. Implementing or installing a good selection of inheritance hierarchy of "directory objects" the user can choose at will, and interactively, at the precision of his liking, what the plug-in is EXACTLY allowed to do. Besides, it would be fairly easy to allow the user to configure different Inferno user id's and choose, which identity a plug-in is allowed to use. Of course there will be a further, advanced need for module signing. That is why module signning was designed to be part of Inferno. But in Inferno/Plan 9 you can have an exact control on a set of resources an untrusted module is allowed to access. Not a sandbox, but a custom built playing field bildable with "bind -a"