[cap-talk] Linux Caps for 'non priviledged' operations?

James Morris jmorris at namei.org
Tue Nov 7 00:18:52 CST 2006


On Mon, 6 Nov 2006, Casey Schaufler wrote:

> > A call like 'open' however will provide a path to a
> > file that in no
> > way conveys any authority to this file by itself.
> 
> You're starting to lose me ...
> 
> > The authority is so to speak just floating around.
> 
> ... and there I go. What authority?

Let me try (after reading the paper(s)), and then if I'm still wrong, 
someone can enlighten me.

Firstly, I hadn't seen POLA used, and assumed it was different to POLP.  
Some googling suggests they are the same thing, and that 'authority' is 
used instead of 'privilege' in some circles for unknown reasons.

(In my mind, which is used to implementation and not research: privilege 
is a right beyond what would be considered normal, whereas, authority 
encapsulates normal rights as well as privileges.  Thus, my confusion, as 
in this discussion, they appear to mean the same thing).

So, using the term authority to refer to all of the rights posessed by a 
domain: when a domain (e.g. a normal Unix user process) opens a file, it 
has a specific authority over the file determined by DAC permissions on 
the file and the DAC attributes of the domain.  But, this domain also has 
general authority, in terms of all of its other possible rights on the 
system (e.g. to write to /tmp), which are superfluous to the authority it 
has over the file it just opened.  The latter, I believe, is ambient 
authority: the total set of rights which the domain can exercise, 
regardless of specific authority over objects it may be currently 
accessing.

So, I think the idea of the term abmient authority is to make this 
distinction, so that you can talk about how authority (privilege) can be 
constrained to that associated with a specific object access, and also in 
terms of escalating or transferring that authority to other domains.


Someone please let me know if I've got it wrong :-)


-- 
James Morris
<jmorris at namei.org>


More information about the cap-talk mailing list