As a first real post in here, I’ve got something that has had me thinking for a while.

With most operating systems if you talk security you generally mean the possibility of malicious code breaching either the barrier from external to user space or the next step from user space to system.

While these two barriers are perfectly all right for server systems where only once in a while a real user is doing work in an interactive session, the picture is completely different in the desktop area.

If you are setting up a server properly you make decisions about which program is allowed to do what and you have code in place to enforce such limitations. You will hardly ever run any code that you don’t fully trust.

On a desktop in contrast you generally have a very limited set of users (<2 on average) per machine who want to see as little as possible about any security stuff. Therefore most desktop software (considering anything from windows, kde, gnome, …) only makes sure that no code in the userspace is run by accident or against the users will, and that if such code is run, it has no way to modify essential parts of the system. But what any user space code (be it malicious or not) can do is to interfere with the users personal files. In the linux/unix environment this applies to the entire home folder with settings for many applications but most importantly private files such as photos, documents, …

Although Windows doesn’t store these settings directly in something like the home folder (which is already a lot more intelligent than the linux way of mixing settings and personal files) it also doesn’t really limit what an application run by user X can do with files belonging to user X.

This basically means any application that is launched by the user can delete all his personal files without the operating system ever complaining!

I think additionally to the current approach of keeping “bad” code from being executed, it is also necessary to limit any damage that could result in running the code.

This leads me to my idea of

Fractional user space rights management

  • Each user has one folder for personal files and working data and one for settings these should be distinct!
    Foreign settings are considered personal files for any other application.
  • Per default only the filemanager (Explorer, Nautilus, …) should have access to all of the files in the home folder
  • each application has its own folder in the settings, there could also be folders for groups of applications that share settings
    In this folder only the application has rights to read and write. (with exception of user authorized actions or the filemanager)
  • If an application wants to access personal files it needs to have the rights to access them. This right doesn’t come per default.
    To acquire such rights, an application has several choices:

    • show an open dialog provided by the operating system, choosing a file or directory there automatically grants the rights
      the same would happen if an application is launched through the filemanager
    • ask the user to define exceptions for this program or check for such (e.g. an image viewer should have read access to all personal files)
    • for convenience I would add a command that can grant rights for console applications. This would be a bit similar to “sudo” e.g.:
      homedo¹ rw * command

      would launch ‘command’ with read/write access for all files in the current working directory after asking for authorization
      similar to gksudo there could of course also be an interactive version of this.

  • For convenience, there could be a “relaxed” mode to limit the number of authorizations needed this mode would only limit write access but allow any read access to happen

Of course I know that this idea is rather revolutionary and that there are quite a few spots where it is rather vague (especially backend implementation and restriction enforcement). The biggest obstacle is probably not on the technical side but rather communication the need for such a system to the user and making it as transparent as possible. I think there are quite a few people who have already disabled windows vistas security system called “UAC” (I even know one computer science student who has done it, but I’m not gonna put down that name here *g*)

Ok I guess I should leave it at that, quite a lot of text for a first post ;)

¹ give credit where credit is due, Maxi ( came up with that command

Tags: , ,

3 Responses to “thoughts about user space security”

  1. Maxi says:

    Although Windows doesn’t store these settings directly in something like the home folder (which is already a lot more intelligent than the linux way of mixing settings and personal files)

    Ich finde es auch nicht gerade intelligent, die Programmeinstellungen in den gleichen Ordner zu schieben wie die Nutzerdaten – noch weniger intelligent finde ich es aber, es vorzuschlagen, die pers. Daten auf der Systempartition zu speichern. Man kann ja nicht mal einstellen, auf welcher Partition “Eigene Daten” liegen soll.

    Mir kommt der Befehl “homedo” so bekannt vor… ;)

  2. mathias says:

    ah das hab ich am ende doch vergessen dazuzuschreiben, done ;)

  3. Maxi says:

    Sollte eigentlich nur eine Anspielung sein, das hätts nicht gebraucht
    Aber danke :D

Leave a Reply