zlacker

That's not a model. What's the model that prevents this? User performs a 2-step auth every time code executes?

replies(1): >>SamRei+x

>>Touche+(OP)
Just pick one that gives the feature I described without being a pain to the user.

replies(1): >>Touche+q1

>>SamRei+x
I know of no such models. Perhaps someone smarter than me has thought of them, that's why I asked the question initially.

replies(2): >>SamRei+O2 >>pjmlp+Fe

>>Touche+q1
Sandboxing. It's present on OS X.

replies(1): >>Touche+Gn

>>Touche+q1
Sandboxing, where each process is only allowed to use a precise set of system resources.

Any attempt to use anything else leads to termination.

replies(1): >>Touche+An

>>pjmlp+Fe
Which resources are they allowed to use? What defines which resources they are given?

replies(1): >>pjmlp+Ou1

>>SamRei+O2
I'm confused. The original person I responded to said that no desktop OSes had good security models. On OSX I can write a script that, when run as a user, has access to everything the user has access to. So what exactly are you talking about?

replies(1): >>SamRei+MC

>>Touche+Gn
I'm talking about OS X sandboxing. The hypothetical PDF reader doesn't have access to the email.

>>Touche+An
> Which resources are they allowed to use?

The system administrator at installation time.

> What defines which resources they are given?

Applications just have a request list of what they require.

If the administrator doesn't allow them for the given application modules (executable, dynamic library, function call,...), bad luck.