[cap-talk] Ambient authority in DVH
Charles Landau
clandau at macslab.com
Sun Jul 30 17:33:58 CDT 2006
At 8:36 PM -0700 7/28/06, Jed at Webstart wrote:
>However, the main point I want to make in this regard is that Jack Dennis:
>
>http://en.wikipedia.org/wiki/Jack_Dennis
>http://www.csg.lcs.mit.edu/Users/dennis/
>
>, the Dennis of Dennis and Van Horn, did have a significant impact on the
>Multics design. One might ask, if Dennis was a co-author on the seminal
>capability paper, why was it that Multics ended up so far from capabilities?
>
>...
>How did they get completely away from object capabilities and to an ambient
>authority (user) model with access lists and a hierarchical (and not object
>capability) file/directory system???
It may not be widely known that the Dennis and Van Horn paper,
despite its brilliant formulation of capabilities, also made use of
ambient authority. (In fact I didn't know it until just now, as I
re-read the paper.)
"The meta-instruction
i := link <principal name>;
inserts into the C-list at index i a nonowned directory capability
pointing to the root directory named <principal name>. Using the
acquire meta-instruction, a computation can thus gain access to any
object in the directory structure of any principal, provided that the
directory items leading from the principal directory to the object
all contain F [free] indicators."
Thus confinement is not possible in the system they describe.
They go on to illustrate how to do ad-hoc access control, based on a
meta-instruction that gives the principal name of a caller.
I believe the evils of ambient authority simply weren't known at that
early date.
More information about the cap-talk
mailing list