[cap-talk] Linux Caps for 'non priviledged' operations?

Mark S. Miller markm at cs.jhu.edu
Tue Nov 7 01:03:48 CST 2006 

James Morris wrote:
> Let me try (after reading the paper(s)), and then if I'm still wrong, 
> someone can enlighten me.
> 
> Firstly, I hadn't seen POLA used, and assumed it was different to POLP.  

Yes, it is different.


> Some googling suggests they are the same thing, and that 'authority' is 
> used instead of 'privilege' in some circles for unknown reasons.

For most of the history of access control, the terms "permission", 
"privilege", "authority", "right", and "access right" were used approximately 
interchangeably. However, the folks using these terms only thought they meant 
the same things by them.

Many in the capability community, especially those associated with Key Logic 
and those who learned from them, understood that the important thing to 
control was what effects an entity could cause. They generally used these 
terms to mean approximately what we now call "authority". Many other security 
researchers generally used these terms to mean approximately what we now call 
"permissions" -- the set of actions that the protection system allows an 
entity to take directly. Because these two groups were using the same cloud of 
words to mean different things without either realizing it, much confusion 
reigned. Neither side could really understand why the other side couldn't 
understand what it was saying. I believe there's no other way to understand 
the history of statements made by each side, in particular regarding delegation.

Regarding Saltzer and Schroeder's "Principle of Least Privilege", it is 
unclear whether by "privilege" they meant something more like what we now call 
"permission" or what we now call "authority". In order to avoid reading our 
meaning into their words, we leave the term "privilege" unclarified, or 
rather, awaiting their clarification.


> So, using the term authority to refer to all of the rights posessed by a 
> domain: when a domain (e.g. a normal Unix user process) opens a file, it 
> has a specific authority over the file determined by DAC permissions on 
> the file and the DAC attributes of the domain.

Those would be permissions.


> But, this domain also has 
> general authority, in terms of all of its other possible rights on the 
> system (e.g. to write to /tmp), which are superfluous to the authority it 
> has over the file it just opened.

These would also be permissions.


> The latter, I believe, is ambient 
> authority: the total set of rights which the domain can exercise, 
> regardless of specific authority over objects it may be currently 
> accessing.

No, "ambient" is a different distinction which we can revisit once we have 
"permission" and "authority" clear.


> Someone please let me know if I've got it wrong :-)

Please <http://erights.org/talks/thesis/>, especially sections 8.1, 9.3, and 
9.4. Comments appreciated!


-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list