[cap-talk] rights communication - hope? - tome - network
jed at nersc.gov
Tue Sep 28 14:37:49 EDT 2004
At 01:27 AM 9/28/2004, Ian Grigg wrote:
>Ben Laurie wrote:
>>David Wagner wrote:
>>>Jed Donnelley wrote:
>>>>Can you tell
>>>>me why people are pursuing ACLs rather than capabilities as a model
>>>>for "communicating" rights in the examples you mentioned earlier,
>>>>e.g. SELinux and Systrace?
>>>They're not. Or at least, they're not pursuing ACLs specifically so
>>>much as just trying to solve the problem whatever way occurs to them.
>>>It's not that they've decided "ACLs are better, and darn it, I refuse to
>>>use capabilities". Rather, they're just building whatever is easiest
>>>and works. If you want to suggest to them that "no, you should only
>>>use capabilities, and never use anything else; capabilities are better
>>>than what you're doing now", you need to make the case that changing
>>>what they do will provide sufficient benefits to be worth the change.
>>>It's a question of where the burden of proof lies.
>>I don't think that's the issue at all. Surely the point is that SELinux
>>and Systrace impose their will on a program from outside, and that just
>>can't be done with object capabilities - the program has to cooperate to
>>play the capability game.
>Isn't it it because they can describe ACLs in one sentance,
>and there isn't a competitor? "I want this person to have
>this right over that program. Now build that...."
As soon as the discussion turns to what rights people should
have (as opposed to processes) then I believe the mechanisms
should be built at a higher level. The above sentence, "I want this
person to have this right over that program." is a bit of a muddle
for me. I seem to remember that ACLs first arose as a direct
implementation of the notion of an access rights martix where
people were the subjects and computing resources were the
objects. However, when one drops down to the level of processes
being the active elements (subjects and possibly objects) then
for me at least the ACL approach to rights management and
certainly to rights communication across domains (e.g. across
a network) falls apart completely.
More information about the cap-talk