[cap-talk] Using C strings to hold capabilities.

Ben Laurie ben at algroup.co.uk
Mon Oct 11 10:12:31 EDT 2004


John C. McCabe-Dansted wrote:
> Ben Laurie suggested instead using the contents of strings to grant authority 
> rather than the pointers. This would simplify the situation further, though 
> there are hypothetical situations where using the contents could allow the 
> confused deputy problem to occur. For example if the application normally 
> displays 'saving /etc/myapp/accounting.info', but displays 'saving 3eff3231' 
> on capability based systems, tricking the app in using the "filename" 
> '3eff3231' for other purposes could do bad things.

OK, I now see why you suggested your method. This would involve a good 
deal of code rewriting, I'd think.

Cheers,

Ben.

-- 
ApacheCon! 13-17 November! http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


More information about the cap-talk mailing list