[cap-talk] confused deputy (was POLA and Mungi ...)
Charles Landau
clandau at macslab.com
Thu May 19 10:33:49 EDT 2005
At 12:59 AM -0400 5/19/05, Jonathan S. Shapiro wrote:
>MarkM straightened me out with a counterexample.
>
>However, I still believe that there are two very distinct things going
>on in the confused deputy.
>
>The first is the separation of authority from designation. The existing
>confused deputy example does not in fact demonstrate this problem. A
>similar program could do so.
If open() simply had an option that said "don't use my home files
license when considering whether I have permission to open this
file", it would solve the confused deputy problem. So I agree we need
a better example. I hope you'll publish that example here or
elsewhere.
>The second is the problem of procedures like open() that act on an
>implicit context and convert a string to a capability. The confused
>deputy really goes wrong because the namespace used to interpret the
>filename string is not an argument to open(). This is a failure of
>designation, not a failure of authority binding.
I don't see that. In the confused deputy example, there's a single
file system name space. Unless by namespace you mean to include the
user's permissions (Unix userid and group), in which case you have
simply moved the designation/authority problem from the file to the
namespace.
More information about the cap-talk
mailing list