[cap-talk] ... enforcement - hope? Capabilities as clumsy, not

David Wagner daw at cs.berkeley.edu
Tue Sep 28 18:33:43 EDT 2004

Jed Donnelley writes:
>OK, perhaps I'm not being fair to the ambient authority
>model.  Let's see.  How to even try to describe it?  Firstly
>there are users - whether human or not.  Every process
>runs as a user and has the rights of that user.  Objects
>in the system are owned by users.  Beyond that there is
>the notion of groups and of 'other' (world) access.  A process
>has the right to access an object with a specific access
>right if that right is available either by virtue of the user's
>ownership rights, the user's group rights, or world access
>rights.  Does that about cover it?

No, you're not being fair.  What you're describing is the Unix model.
Unix is one example of an ambient authority system.  Not all ambient
authority systems have these properties.

For instance, Systrace is an ambient authority system where it is not
true that a process runs as a user and has all the rights of that user.

It doesn't make sense to talk about "the" ambient authority model.
There is no one ambient authority system.  Rather, the notion of "ambient
authority" is a property that some systems possess and some don't.
Similar comments apply to talking about "the" access list model.

Don't tar all ambient authority systems, or all ACL-based systems, with
the same brush.  They're not all equally bad.  Some of these systems
do better than stock Unix, even though (as I have said before) they are
not perfect.

More information about the cap-talk mailing list