zlacker

Somebody exploiting your PDF reader can't upload all your email.

replies(1): >>Touche+U4

>>SamRei+(OP)
That's not a model. What's the model that prevents this? User performs a 2-step auth every time code executes?

replies(1): >>SamRei+r5

>>Touche+U4
Just pick one that gives the feature I described without being a pain to the user.

replies(1): >>Touche+k6

>>SamRei+r5
I know of no such models. Perhaps someone smarter than me has thought of them, that's why I asked the question initially.

replies(2): >>SamRei+I7 >>pjmlp+zj

>>Touche+k6
Sandboxing. It's present on OS X.

replies(1): >>Touche+As

>>Touche+k6
Sandboxing, where each process is only allowed to use a precise set of system resources.

Any attempt to use anything else leads to termination.

replies(1): >>Touche+us

>>pjmlp+zj
Which resources are they allowed to use? What defines which resources they are given?

replies(1): >>pjmlp+Iz1

>>SamRei+I7
I'm confused. The original person I responded to said that no desktop OSes had good security models. On OSX I can write a script that, when run as a user, has access to everything the user has access to. So what exactly are you talking about?

replies(1): >>SamRei+GH

>>Touche+As
I'm talking about OS X sandboxing. The hypothetical PDF reader doesn't have access to the email.

>>Touche+us
> Which resources are they allowed to use?

The system administrator at installation time.

> What defines which resources they are given?

Applications just have a request list of what they require.

If the administrator doesn't allow them for the given application modules (executable, dynamic library, function call,...), bad luck.