[cap-talk] Ambient authority in DVH

Jed at Webstart donnelley1 at webstart.com
Mon Jul 31 18:59:48 CDT 2006 

At 03:33 PM 7/30/2006, Charles Landau wrote:
>At 8:36 PM -0700 7/28/06, Jed at Webstart wrote:
> >However, the main point I want to make in this regard is that Jack Dennis:
> >
> >http://en.wikipedia.org/wiki/Jack_Dennis
> >http://www.csg.lcs.mit.edu/Users/dennis/
> >
> >, the Dennis of Dennis and Van Horn, did have a significant impact on the
> >Multics design.  One might ask, if Dennis was a co-author on the seminal
> >capability paper, why was it that Multics ended up so far from capabilities?
> >...
> >How did they get completely away from object capabilities and to an ambient
> >authority (user) model with access lists and a hierarchical (and not object
> >capability) file/directory system???
>
>It may not be widely known that the Dennis and Van Horn paper,
>despite its brilliant formulation of capabilities, also made use of
>ambient authority. (In fact I didn't know it until just now, as I
>re-read the paper.)
>
>"The meta-instruction
>i := link <principal name>;
>inserts into the C-list at index i a nonowned directory capability
>pointing to the root directory named <principal name>. Using the
>acquire meta-instruction, a computation can thus gain access to any
>object in the directory structure of any principal, provided that the
>directory items leading from the principal directory to the object
>all contain F [free] indicators."
>
>Thus confinement is not possible in the system they describe.

Hmmm.  I take your point.  It still seems to me still possible in DVH to do
confinement more along the lines of the way Polaris does it by having
a "principal" with few or now capabilities.  I guess there wasn't any
notion of network access as there is today, so I think the notion
of confinement might be considered in a somewhat different light.

Still, what you say about "ambient authority" in the DVH paper,
namely processes automatically and unavoidably getting all
permissions of their principals, seems true.

>They go on to illustrate how to do ad-hoc access control, based on a
>meta-instruction that gives the principal name of a caller.
>
>I believe the evils of ambient authority simply weren't known at that
>early date.

I see.  In a prior higher level discussion of this same topic we see:

"When the supervisor creates a computation on behalf of
a principal, it always places in the C-list of such a computation
a directory capability with an O indicator that
points to the principal's root directory. The principal is
then said to own this computation and each of its processes.
These processes are then permitted to exercise powers of
ownership with respect to objects owned by the principal."

<aside: I also hadn't recalled this from previous readings:

"Our notion of the capability
list stems from the "program reference table" idea first
used in the Burroughs B5000 system.">


That being the apparent case, where did the notion of separating
the permissions of a process from those of the "principal" (user)
who initiated the process come from?

As I recall (not doing the reading again right now) the notion of user
permissions and process permissions were distinct in the RATS
system.  Users (principals) had directories.  Something like the
command line interpreter could give a process access to the root
directory of a user who started a process, but need not.

Was the notion of permissions for users/Principals distinct from those
for processes in the PDP-1 supervisor as implemented (as distinct
from as described in DVH)?  Do you know Charlie, Bill?

That was certainly the philosophy in NLTSS and I expect in many
other capability systems.

In the Elephant storage system, that was already implemented at LLL when
I arrived there in 1972, directories were just named bags of other 
capabilities,
including file and directory capabilities.  That system was necessarily a
directed graph - not any sort of tree - e.g. a "principal" based tree.  When
users authenticated they got access to their root, and after that sharing
was done by moving capabilities between directories.

The same was true in RATS as I recall.  <Both RATS and the Elephant
storage system implemented a garbage collection mechanism - not
easy in a directed graph and essentially impossible on a large network.>


<aside: Incidentally, I see a version of Solitaire for the PDP-1:

http://www.bitsavers.org/pdf/mit/rle_pdp1/listings/Solitare.pdf

It seems that even back then it ran with ambient authority ;-)>

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list