[cap-talk] ACLs: why not have them IN ADDITION to capabilities
David Nicol
davidnicol at gmail.com
Mon Jul 31 19:23:44 EDT 2006
The question seems to me to be "Can a user model and ACLs be
implemented in terms of capabilities?" to which the answer is
entierly "YES!" and the "logging forwarder" referred to previously
provdes an example of such.
Instead of "Is the agent attempting the action owned by a user
on the ACL" the quesion in practice becomes "does the agent
in question hold a capability allowing the action?" and so on.
> > Much is said on this list about the "evils" of ACLs. But why
> > can't we have them IN ADDITION to capabilities? Do they break the
> > capability model in some way? What I am thinking the answer
> > is that ACLs grant too much authority. Is there some way to
> > fit ACLs into a capability framework (instead of vica versa).
> > If you have somewhere in your system, a notion of user, then
> > you could write custom logic that would test for the user.
> > What I am thinking of is using client side certificates to
> > authenticate users. The capability being passed to another
> > user *might* send with that capability the user who was
> > originally granted the authority. Then in some ways, we
> > could track where the capability travelled to (which we can
> > do anyway), and who was responsible for a capability leak.
> >
> > This sounds like an administrative nightmare for most
> > systems, but adding the notion of user may help sell
> > capabilities in some circles.
More information about the cap-talk
mailing list