[cap-talk] Ambient authority in DVH, PDP-1 supervisor, Multics

[Jed at Webstart]

At 03:33 PM 7/30/2006, Charles Landau wrote:
>...
>
>It may not be widely known that the Dennis and Van Horn paper,
>despite its brilliant formulation of capabilities, also made use of
>ambient authority.

<namely, every process can access the permissions of its human
initiator, it's "principal", thereby making it impossible to limit access
by the Principle Of Least Authority>

>(In fact I didn't know it until just now, as I  re-read the paper.)
>
>"The meta-instruction
>i := link <principal name>;
>inserts into the C-list at index i a nonowned directory capability
>pointing to the root directory named <principal name>. Using the
>acquire meta-instruction, a computation can thus gain access to any
>object in the directory structure of any principal, provided that the
>directory items leading from the principal directory to the object
>all contain F [free] indicators."
>
>Thus confinement is not possible in the system they describe.
>
>They go on to illustrate how to do ad-hoc access control, based on a
>meta-instruction that gives the principal name of a caller.

At 02:05 AM 8/1/2006, Fred Spiessens wrote:
>...
>In defense of DVH, I think it makes sense for a system to allow its 
>human Principals to freely distribute their "owned" capabilities.

The DVH paper was a design document as I understand it, that in some 
ways fed into both to
the PDP-1 supervisor and to Multics.

I'd like to hear whether such an ambient authority mechanism showed 
up in the PDP-1 supervisor,
as I believe it did in Multics and did not in RATS (KeyKOS, 
...).  How does a process typically
get access to the permissions of it's user (principal) in those 
systems?  In particular how in such
a way that at least in some circumstances processes can be run 
without any such "principal/user"
authority?

--Jed http://www.webstart.com/jed/