[cap-talk] Ambient authority in DVH
Norman Hardy
norm at cap-lore.com
Mon Jul 31 16:03:15 CDT 2006
Thanks for digging that out!!
On Jul 30, 2006, at 3:33 PM, Charles Landau wrote:
> At 8:36 PM -0700 7/28/06, Jed at Webstart wrote:
>> However, the main point I want to make in this regard is that Jack
>> Dennis:
>>
>> http://en.wikipedia.org/wiki/Jack_Dennis
>> http://www.csg.lcs.mit.edu/Users/dennis/
>>
>> , the Dennis of Dennis and Van Horn, did have a significant impact
>> on the
>> Multics design. One might ask, if Dennis was a co-author on the
>> seminal
>> capability paper, why was it that Multics ended up so far from
>> capabilities?
>>
>> ...
>> How did they get completely away from object capabilities and to
>> an ambient
>> authority (user) model with access lists and a hierarchical (and
>> not object
>> capability) file/directory system???
>
> It may not be widely known that the Dennis and Van Horn paper,
> despite its brilliant formulation of capabilities, also made use of
> ambient authority. (In fact I didn't know it until just now, as I
> re-read the paper.)
>
> "The meta-instruction
> i := link <principal name>;
> inserts into the C-list at index i a nonowned directory capability
> pointing to the root directory named <principal name>. Using the
> acquire meta-instruction, a computation can thus gain access to any
> object in the directory structure of any principal, provided that the
> directory items leading from the principal directory to the object
> all contain F [free] indicators."
>
> Thus confinement is not possible in the system they describe.
>
> They go on to illustrate how to do ad-hoc access control, based on a
> meta-instruction that gives the principal name of a caller.
>
> I believe the evils of ambient authority simply weren't known at that
> early date.
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
More information about the cap-talk
mailing list