[Python-checkins] r50718 - python/branches/bcannon-sandboxing/securing_python.txt

brett.cannon python-checkins at python.org
Thu Jul 20 03:37:03 CEST 2006 

Author: brett.cannon
Date: Thu Jul 20 03:37:02 2006
New Revision: 50718

Modified:
   python/branches/bcannon-sandboxing/securing_python.txt
Log:
Add mention in the what-I-have security explanation that you can pass in
resources directly and skip the accessor functions being made available.
Also mentioned that object-capabilities is a subset of what-I-have security.

All based on comments from Alan Karp.


Modified: python/branches/bcannon-sandboxing/securing_python.txt
==============================================================================
--- python/branches/bcannon-sandboxing/securing_python.txt	(original)
+++ python/branches/bcannon-sandboxing/securing_python.txt	Thu Jul 20 03:37:02 2006
@@ -86,15 +86,27 @@
 ========================
 
 A contrast to who-I-am security, what-I-have security never requires
-knowing who is requesting a resource.  By never providing a function
-to access a resource or by creating a proxy that wraps the function to
-access a resource with argument checking, you can skip the need to
-know who is making a call.
-
-Using our file example, the program trying to open a file is given a
-proxy that checks whether paths passed into the function match allowed
-based at the creation time of the proxy before using the full-featured
-open function to open the file.
+knowing who is requesting a resource.  If you know what resources are
+allowed or needed when you begin a security domain, you can just have
+the powerbox pass in those resources to begin with and not provide a
+function to retrieve them.  This alleviates the worry of providing a
+function that can wield more power than the security domain should
+ever have if security is breached on that function.
+
+But if you don't know the exact resources needed ahead of time, you
+pass in a proxy to the resource that checks its arguments to make sure
+they are valid in terms of allowed usage of the protected resource.
+With this approach, you are only doing argument validation, where the
+validation happens to be related to security.  No identity check is
+needed at any point.
+
+Using our file example, the program trying to open a file is given the
+open file object directly at time of creation that it will need to
+work with.  A proxy to the full-powered open function can be used if
+you need more of a wildcard support for opening files.  But
+it works just as well, if not better, to pass in all needed file
+objects at the beginning when the allowed files to work with is known
+so as to not even risk exposing the file opening function.
 
 This illustrates a subtle, but key difference between who-I-am and
 what-I-have security.  For who-I-am, you must know who the caller is
@@ -105,7 +117,7 @@
 Object-Capabilities
 ///////////////////////////////////////
 
-What-I-have security is more often called the object-capabilities
+What-I-have security is a super-set of the object-capabilities
 security model.  The belief here is in POLA (Principle Of Least
 Authority): you give a program exactly what it needs, and no more.  By
 providing a function that can open any file that relies on identity to

More information about the Python-checkins mailing list