Secure Coding mailing list archives
RE: Opinion re an interesting article on Linux security in Linux Journal
From: Nick Lothian <nl () essential com au>
Date: Wed, 10 Mar 2004 23:49:09 +0000
To secure a machine from malware introduced by a naive user it is required that naive users not have the privilege to introduce software that can be executed by them or by other naive users.I would disagree. There's nothing wrong with allowing naïve users to introduce software they or others can execute - provided its execution is appropriately sandboxed. Trouble is, _that_ is hard. Java in web-browsers tried it, and gave us bugs in the jvm sandbox. Also, what the sandboxes should permit the sandboxed software to do varies from site to site, and in some cases from machine to machine, and some of those sites don't have anyone competent to figure out what the restrictions should be for them, much less correctly configure the sandbox to implement them.
I'd go futher - I think it is extremley rare that anyone configures their sandbox properly. I "do" Java development, and I would guess that less than 10% of application server deployments are done with the Java security manager enabled. I'm not aware of any statistics in this area (Java deployments using the sandbox vs not using it), and I'd be very interested any any hard numbers. Nick
Current thread:
- RE: Opinion re an interesting article on Linux security in Linux Journal Nick Lothian (Mar 10)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)
- Re: Re: Java sandboxing not used much Kenneth R. van Wyk (Mar 11)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)
- Re: Re: Java sandboxing not used much Louis Solomon [SteelBytes] (Mar 15)
- Re: Re: Java sandboxing not used much Kenneth R. van Wyk (Mar 11)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)