Comment by anaphor
6 years ago
Have you looked into the object capability model of permissions? https://en.wikipedia.org/wiki/Capability-based_security
This is exactly the type of problem it solves, usability with security.
6 years ago
Have you looked into the object capability model of permissions? https://en.wikipedia.org/wiki/Capability-based_security
This is exactly the type of problem it solves, usability with security.
I don't see how it solves the selfpwn problem - that is, for any capability I can explicitly grant if I know what I'm doing, someone else can grant it because a malicious actor nicely asked them to do it. If you take away the ability to grant the capability, you're reducing usability.
Yeah, that's really an unsolvable problem I guess. But you could at least make it clear to the user what some app is requesting. If it's requesting the root capability / ambient authority (basically access to everything) then that should be a big red flag.