zlacker

What would be the better security model?

replies(1): >>SamRei+42

>>Touche+(OP)
Somebody exploiting your PDF reader can't upload all your email.

replies(1): >>Touche+Y6

>>SamRei+42
That's not a model. What's the model that prevents this? User performs a 2-step auth every time code executes?

replies(1): >>SamRei+v7

>>Touche+Y6
Just pick one that gives the feature I described without being a pain to the user.

replies(1): >>Touche+o8

>>SamRei+v7
I know of no such models. Perhaps someone smarter than me has thought of them, that's why I asked the question initially.

replies(2): >>SamRei+M9 >>pjmlp+Dl

>>Touche+o8
Sandboxing. It's present on OS X.

replies(1): >>Touche+Eu

>>Touche+o8
Sandboxing, where each process is only allowed to use a precise set of system resources.

Any attempt to use anything else leads to termination.

replies(1): >>Touche+yu

>>pjmlp+Dl
Which resources are they allowed to use? What defines which resources they are given?

replies(1): >>pjmlp+MB1

>>SamRei+M9
I'm confused. The original person I responded to said that no desktop OSes had good security models. On OSX I can write a script that, when run as a user, has access to everything the user has access to. So what exactly are you talking about?

replies(1): >>SamRei+KJ

>>Touche+Eu
I'm talking about OS X sandboxing. The hypothetical PDF reader doesn't have access to the email.

>>Touche+yu
> Which resources are they allowed to use?

The system administrator at installation time.

> What defines which resources they are given?

Applications just have a request list of what they require.

If the administrator doesn't allow them for the given application modules (executable, dynamic library, function call,...), bad luck.