« Chandler Virtuality: Now and Future
OSAF Status overview, July 26 »

On Parcel and CPIA Script Security

July 26th, 2005 at 11:45 am (2 years, 9 months ago) by heikki under Chandler Desktop Development

We have made a conscious decision to not try and implement half-hearted security sandboxes for CPIA Script and third party parcels. Because Python itself does not provide a sandbox (unlike Java and Javascript, for example), this would be pretty hard to do, although projects like Zope have come up with limited sandbox-like functionality.

What this means is that any CPIA script or parcel can do anything a regular user, and by extension Chandler, can do.

Please note that this is no different from the way Mozilla Firefox extensions work, for example. Once you start installing a Mozilla Firefox extension, it can do whatever it wants. In case it is malicious, bad things will happen.

There are several ways in which the Mozilla project mitigates these risks. First, most users will be installing extensions from the SSL-protected site addons.mozilla.org. Although there are no guarantees the extensions installed from there are not malicious, it is somewhat unlikely. It is possible to install extensions from other sites as well, but this requires more user action, which hopefully makes some people think about the implications of their actions, and will also discourage a fair number of people altogether. Finally there is a two second delay in the install dialog so that people won’t accidentally click the install button without having a chance to see it. The Mozilla project also supports signed extensions, but these are extremely rare due to the difficulty of the signing process.

The success of the Mozilla Firefox project, and at least as of yet the rarity of malicious extensions, seems like a good model to adopt for Chandler as well. Once 3rd party Chandler parcels start appearing we should provide a trusted site from which to search and download these parcels.

Finally, there is a way to limit the damage of potentially malicious Firefox extensions or Chandler parcels. Do not run the computer with root or administrator privileges.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Reddit

7 Responses to “On Parcel and CPIA Script Security”

  1. qukza Says:
    July 27th, 2005 at 7:41 am

    “Do not run the computer with root or administrator privileges.”

    Well, easier said that done in Windows as there are thousands of programs, including anti-virus and other security stuff will only run properly with admin privileges. And to date Windows hasn’t exactly made it easy to run without admin priviilges. I bet 95% of Windows users have no clue about running as non-admin or how to run selected programs with reduced privileges.

    Useful links, tools and how-to info here: http://nonadmin.editme.com/

    There seem to be quite a few people at Microsoft, bless them, that get this, e.g.:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp

    I use “Drop My Rights” to run Thunderbird and Firefox with reduced privileges. See:
    http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp

  2. qukza Says:
    July 27th, 2005 at 7:50 am

    Oops! The URLs got mangled. One more try again. All the various sites and tools I referenced can be found here:
    http://nonadmin.editme.com/ — Or just Google nonadmin.

  3. Pieter Hartsook Says:
    July 27th, 2005 at 10:23 am

    Qukza’s last comment had a URL that got munged. The URL was supposed to be - http://nonadmin.editme.com . There is a quirk in this WordPress installation where ending a paragraph with a URL causes problems.

    So in the future, make sure you put additional characters following a URL before you hit that carriage return.

    BTW - I just went back and fixed those previous comments by adding some space characters at the end of the URL lines.

    Pieter

  4. heikki Says:
    July 27th, 2005 at 10:40 am

    Yes, I know running Windows without admin rights is hard. I tried to do it with Windows 2000, but too many things broke. When I got Windows XP in 2003 I tried it again, and have since then run Windows as regular user.

    Sure, there are still problems, but few enough that I can actually live with it.

  5. qukza Says:
    July 28th, 2005 at 8:21 am

    Thanks for fixing the URLs.

    Just a thought, but could’t you embed some of the functionality of the tools discussed in the nonadmin site into a program like Chandler? For example, at startup check whether user is “Admin” and then by default lower program privileges so it starts with only “User” privileges.

  6. heikki Says:
    July 28th, 2005 at 11:52 am

    Sure, but it would be a fair amount of work and we don’t even have a usable product yet. Some other projects might be interested, though.

    But hopefully Windows Vista will get this right…

  7. qukza Says:
    July 29th, 2005 at 6:33 am

    yes, see Larry Seltzer’s opinon column in eWeek from 7/28 on Vista Beta1 security features.

    “Getting an account with Administrator privileges is now the extraordinary case, but it’s not generally going to be necessary. If you do something that requires admin privileges, such changing firewall settings, the system will offer you an opportunity to enter account credentials that have sufficient privileges, such as the Administrator account. So you can run normally as a non-Administrator. This is all called “User Account Protection…”

Leave a Reply