[cap-talk] Unix inode communication seen as breaking TCSEC

Mark Miller erights at gmail.com
Wed Nov 1 23:55:20 CST 2006

On 11/1/06, Jed at Webstart <donnelley1 at webstart.com> wrote:
> cap-talk,
> Related to my previous note on capabilities and NCSC TCSEC, it
> occurred to me to consider some features of systems like Unix and
> Windows in the light of those criteria.  In particular the feature in
> Unix that plash uses where open file descriptors can be communicated
> through pipes (please correct my terminology or concept if I've
> missed it here) seems to me to completely break all the TCSECriteria
> that are discussed in the document that I posted just as "traditional
> capabilities" do.  Namely, such communication can allow file access
> despite not being allowed by the nominal Unix rwx ugo access
> controls, and there is no auditing on such communication.
> I wonder if those folks (TCSEC evaluators) feel that such a "feature"
> in Unix breaks it's opportunity for providing security?

I talked to the architect of Sun's "Trusted Solaris" operating system,
who explained to me that Trusted Solaris disallows such "Unix Domain
Sockets" between compartments (their "zones") precisely because they
believed that the ability to pass file descriptors was too dangerous.

Text by me above is hereby placed in the public domain


More information about the cap-talk mailing list