[cap-talk] rights communication - hope? - tome - network
Jed Donnelley
jed at nersc.gov
Mon Sep 27 16:19:30 EDT 2004
At 01:40 PM 9/24/2004, Hal Finney wrote:
>Alan Karp wrote:
> > Inferring the authorities from the command line arguments would mean
> > understanding the semantics of the application. Additional syntax,
> > such as the additional ">" in the rm example make it possible, at least
> > for read- and write-like methods. In other cases, I think you'll need
> > a per command wrapper that understands what permissions are needed by
> > the application. In our Client Utility prototype we had separate names
> > for distinct facets of an object, e.g., foo-r, foo-w, and foo-rw, with
> > obvious extensions for other types of methods.
>
>Years ago I used an operating system, TOPS-20, whose command shell allowed
>programs to specify the nature of their command-line arguments. You
>could tell whether something was supposed to be a keyword from a given
>list, a file name, and other options. Then the shell would do command
>line completion and even include program-supplied prompts...
>
>Hal Finney
Heh. Must be another "grey beard". I also worked for a number of years on
Tenex (it's name before DEC picked it up) - mostly doing OS security
analyses. I took some inspiration from Tenex - mostly in negative
senses. For example, the DCCS:
http://www.webstart.com/jed/papers/DCCS/
was supposed to be the "right" way to do what the Tenex folks were working
on as the RSExec:
R. H. Thomas,
"A Resource Sharing Executive for the Arpanet,"
AFIPS Conference Proceedings, Vol. 42, 1973, SJCC, pp.155-163.
I later explicitly denigrated the RSexec approach in:
http://www.webstart.com/jed/papers/Components/
I think the binding between naming and access control that the capability
model uses shows up as a clear advantage in both the above
papers/mechanisms (the first using explicit c-lists and the second using
the capabilities as data model) - e.g. over how things would have to work
using an ACL model or even worse the sort of ad hoc (e.g. Unix-like)
resources that show up in typical monolithic kernel systems like
Tenex/Unix/VMS/Windows with assumed authority models.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list