[cap-talk] Linux Caps for 'non priviledged' operations?
jmorris at namei.org
Tue Nov 7 00:18:52 CST 2006
On Mon, 6 Nov 2006, Casey Schaufler wrote:
> > A call like 'open' however will provide a path to a
> > file that in no
> > way conveys any authority to this file by itself.
> You're starting to lose me ...
> > The authority is so to speak just floating around.
> ... and there I go. What authority?
Let me try (after reading the paper(s)), and then if I'm still wrong,
someone can enlighten me.
Firstly, I hadn't seen POLA used, and assumed it was different to POLP.
Some googling suggests they are the same thing, and that 'authority' is
used instead of 'privilege' in some circles for unknown reasons.
(In my mind, which is used to implementation and not research: privilege
is a right beyond what would be considered normal, whereas, authority
encapsulates normal rights as well as privileges. Thus, my confusion, as
in this discussion, they appear to mean the same thing).
So, using the term authority to refer to all of the rights posessed by a
domain: when a domain (e.g. a normal Unix user process) opens a file, it
has a specific authority over the file determined by DAC permissions on
the file and the DAC attributes of the domain. But, this domain also has
general authority, in terms of all of its other possible rights on the
system (e.g. to write to /tmp), which are superfluous to the authority it
has over the file it just opened. The latter, I believe, is ambient
authority: the total set of rights which the domain can exercise,
regardless of specific authority over objects it may be currently
So, I think the idea of the term abmient authority is to make this
distinction, so that you can talk about how authority (privilege) can be
constrained to that associated with a specific object access, and also in
terms of escalating or transferring that authority to other domains.
Someone please let me know if I've got it wrong :-)
<jmorris at namei.org>
More information about the cap-talk