[cap-talk] POLA and Mungi / Iguana style APIs
Ian G
iang at systemics.com
Thu May 19 08:45:03 EDT 2005
On Wednesday 18 May 2005 00:05, David Hopwood wrote:
> .. If you look at Norm Hardy's original motivating example of
> the Confused Deputy problem
> <http://www.cap-lore.com/CapTheory/ConfusedDeputy.html>...
>
> (Unfortunately many people don't see the importance of confused deputy
> attacks or have a "blame the user/application" response to them. For
> example see <http://c2.com/cgi/wiki?ConfusedDeputyProblem>.)
Having read those for the first time, it strikes how
the example and the concept track so well the
notion of file descriptors and file names in Unix.
In particular, the Unix shell has always had
an ability to pass file descriptors through
inheritance as well as names to programs that
it initiates:
dd of=/dev/ad0s1c < /dev/null
is an example of a command that you do *not*
want to run if you have good authorities, using
both the "name" form and the "capability" form.
Over the history of the shell there have been
many discussions over the power of the pipe,
and the inheritance of fds, but it is striking that
30 years on, we still have basically the same
mix, and if anything, more complex programs and
tasks have preferred to err away from pipes and
towards explicit naming ...
I see this as a sort of devil's advocate question
along the lines of "if capabilities are so hot, why
has the Unix shell not evolved more in that
direction?"
iang
PS: is the term "deputy" taken from American
cultural use of the term? Like a deputy in a
Hollywood western?
--
Advances in Financial Cryptography:
https://www.financialcryptography.com/mt/archives/000458.html
More information about the cap-talk
mailing list