[cap-talk] Unix FDs as capabilities, preventing socket creation,
kerberos etc?
Sandro Magi
smagi at naasking.homeip.net
Sun Nov 27 12:01:58 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Mercer wrote:
> Such an initial login process could itself be implemented purely in
> capabilities.
> Have there always be present in the root context of all domains a
> special, publically accessable 'well known capability' that takes an
> ID (which is really secretly transformed into a capability every
> time), a password (or biometric input, token output, etc.) and
> returns the capability that they point to. If they are wrong, you
> don't get the right (or perhaps even meaningful) one.
>
> Is that anything at all how past/current cap systems handle initial
> user powerbox state? Pointers to how the above is wheel reinvention,
> which I suspect it is.
Excerpt:
In EROS: there is a capability in your login database entry that says
"when shap logs in, reconnect him to the following session". The shell
within that session has a capability to your home directory. Other
capabilities proceed either from your home directory of from session
state held by your shell.
http://www.eros-os.org/pipermail/e-lang/2003-September/008980.html
So the login database is a directory of capabilities indexed by your
login credentials. For this to be secure, login credentials should
preferably be "unguessable".
Sandro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDieaGp+tmQHySTM0RAgTUAKCZUgTkZ3isvOfvWxnuZOnppNLqQgCfW+Q8
TNoMi25iNEL1/Pl5Ke5cM4E=
=oYqY
-----END PGP SIGNATURE-----
More information about the cap-talk
mailing list