*Exactly* my reasoning behind suggesting a "safe shell". Constraining
ourselves to any one language is antisocial, nonprogressive, and
anti-WWW-philosophy (as I see it). I'd like to put up Perl scripts, C
code, and even binary code for different platforms - even if there were
a safe Perl I wouldn't write everything in that.
> A truly anonymous program might begin executing with with finite
> resources: a certain amount of memory and some CPU time. To gain
> access to the filesystem, network ports, databases, more compute time,
> or more memory, I see three options:
>
> (1) In an interactive session, (like a program that runs inside Mosaic
> to control a smart form) the virtual machine could present a dialog to
> the interactive user:
>
> The 'fractal image display' task has consumed the default
> maximum memory resources, and requested 5MB more.
> <Grant Request> <Abort Task>
The 'smart form' task wishes to open a socket connection to port 25
(sendmail) on whitehouse.gov.
<Grant Request> <Abort Task>
The 'geometric viewer' application wants to read the file "/etc/passwd".
<Grant Request> <Abort Task>
It seems that at least in terms of protecting operating systems, which can be
defined by a limited number of subsystems each of which can be explicitely
monitored, this system would work. The client could even specify certain
allowed things, like "can always write to /tmp".
The thesis that "specifically allowing certain actions is safer than
specifically prohibiting others" can be integrated into this, one would
think.
The main argument I heard to this was that shells would be hard to implement
on some systems, such as the Macintosh. I don't know what to answer to that,
other than I'd have to gain a deeper knowlege of the Macintosh architecture
before being convinced. Second opinions anyone?
Brian