[cap-talk] Unix inode communication seen as breaking TCSEC
Jed at Webstart
donnelley1 at webstart.com
Wed Nov 1 20:44:50 CST 2006
Related to my previous note on capabilities and NCSC TCSEC, it
occurred to me to consider some features of systems like Unix and
Windows in the light of those criteria. In particular the feature in
Unix that plash uses where open file descriptors can be communicated
through pipes (please correct my terminology or concept if I've
missed it here) seems to me to completely break all the TCSECriteria
that are discussed in the document that I posted just as "traditional
capabilities" do. Namely, such communication can allow file access
despite not being allowed by the nominal Unix rwx ugo access
controls, and there is no auditing on such communication.
I wonder if those folks (TCSEC evaluators) feel that such a "feature"
in Unix breaks it's opportunity for providing security?
More information about the cap-talk