From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 00:34:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9784106566C for ; Thu, 17 Jul 2008 00:34:34 +0000 (UTC) (envelope-from mattjreimer@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.230]) by mx1.freebsd.org (Postfix) with ESMTP id 5EA918FC0C for ; Thu, 17 Jul 2008 00:34:34 +0000 (UTC) (envelope-from mattjreimer@gmail.com) Received: by wx-out-0506.google.com with SMTP id h27so2355891wxd.7 for ; Wed, 16 Jul 2008 17:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=NYp2Jglnjx8VMO3WcchrUWpp10YC71gC6N+QdhKcaDg=; b=gjmr5Y+cx6L8EqnBy1zT3dJyIZVSasutYurc38HH3rVls1/VzQ64q9uZQmgoUVKdKH uEq4PsEl+DuaqtXARfOaaAUY5zvQXrzBCvOvR9jIDLyvwuoe/XTHJQDygFU/Ji/saPUF ejzR91xfBT4TIuMdevNSmfpWBSj/LFjPPPzKI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=Gk/QnEbU9tXJLWF1aHc7w3TogFCROWg7sVQp2WcjC0K8b6qIO/EOHQ/UWakrPvAGpE 5OynhqHkNdNrSJzV7MsnrqH6hz/K9UYGvbBf3xcYfzMR2IB/Xt+YTCFLe/hKbQqB4bx6 ecurgNLe+Qxnf8p48v81iPhCwVOUc+B9j4olA= Received: by 10.101.1.12 with SMTP id d12mr3190731ani.31.1216253432172; Wed, 16 Jul 2008 17:10:32 -0700 (PDT) Received: by 10.100.110.10 with HTTP; Wed, 16 Jul 2008 17:10:32 -0700 (PDT) Message-ID: Date: Wed, 16 Jul 2008 17:10:32 -0700 From: "Matt Reimer" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 00:34:34 -0000 Is anyone else nervous trusting all his programs to have access to all his files? Is there already a reasonable solution to this problem? It makes me nervous for, say, Firefox and its plugins to be able to read and write every file I own, whether it's gnucash, ~/.ssh, or other sensitive files. Programs could be set up to run under their own uids, but this is cumbersome, especially in a desktop environment. One possibility would be to "filewall" off a program--say, Firefox--so that of all my uid's files Firefox is only able to read or write ~/.mozilla. If we had app signatures like it seems OS X does, then maybe a "filewall" MAC module could use extended attributes to grant access to files based on the app's signature. Permission could be granted to the application to access other files through a special file picker, so the user is always in control. Thoughts? Matt