[cap-talk] Unix FDs as capabilities, preventing socket creation,
smagi at naasking.homeip.net
Sun Nov 27 12:01:58 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
David Mercer wrote:
> Such an initial login process could itself be implemented purely in
> Have there always be present in the root context of all domains a
> special, publically accessable 'well known capability' that takes an
> ID (which is really secretly transformed into a capability every
> time), a password (or biometric input, token output, etc.) and
> returns the capability that they point to. If they are wrong, you
> don't get the right (or perhaps even meaningful) one.
> Is that anything at all how past/current cap systems handle initial
> user powerbox state? Pointers to how the above is wheel reinvention,
> which I suspect it is.
In EROS: there is a capability in your login database entry that says
"when shap logs in, reconnect him to the following session". The shell
within that session has a capability to your home directory. Other
capabilities proceed either from your home directory of from session
state held by your shell.
So the login database is a directory of capabilities indexed by your
login credentials. For this to be secure, login credentials should
preferably be "unguessable".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the cap-talk