[cap-talk] Linux Caps for 'non priviledged' operations?
Mark S. Miller
markm at cs.jhu.edu
Tue Nov 7 01:03:48 CST 2006
James Morris wrote:
> Let me try (after reading the paper(s)), and then if I'm still wrong,
> someone can enlighten me.
> Firstly, I hadn't seen POLA used, and assumed it was different to POLP.
Yes, it is different.
> Some googling suggests they are the same thing, and that 'authority' is
> used instead of 'privilege' in some circles for unknown reasons.
For most of the history of access control, the terms "permission",
"privilege", "authority", "right", and "access right" were used approximately
interchangeably. However, the folks using these terms only thought they meant
the same things by them.
Many in the capability community, especially those associated with Key Logic
and those who learned from them, understood that the important thing to
control was what effects an entity could cause. They generally used these
terms to mean approximately what we now call "authority". Many other security
researchers generally used these terms to mean approximately what we now call
"permissions" -- the set of actions that the protection system allows an
entity to take directly. Because these two groups were using the same cloud of
words to mean different things without either realizing it, much confusion
reigned. Neither side could really understand why the other side couldn't
understand what it was saying. I believe there's no other way to understand
the history of statements made by each side, in particular regarding delegation.
Regarding Saltzer and Schroeder's "Principle of Least Privilege", it is
unclear whether by "privilege" they meant something more like what we now call
"permission" or what we now call "authority". In order to avoid reading our
meaning into their words, we leave the term "privilege" unclarified, or
rather, awaiting their clarification.
> So, using the term authority to refer to all of the rights posessed by a
> domain: when a domain (e.g. a normal Unix user process) opens a file, it
> has a specific authority over the file determined by DAC permissions on
> the file and the DAC attributes of the domain.
Those would be permissions.
> But, this domain also has
> general authority, in terms of all of its other possible rights on the
> system (e.g. to write to /tmp), which are superfluous to the authority it
> has over the file it just opened.
These would also be permissions.
> The latter, I believe, is ambient
> authority: the total set of rights which the domain can exercise,
> regardless of specific authority over objects it may be currently
No, "ambient" is a different distinction which we can revisit once we have
"permission" and "authority" clear.
> Someone please let me know if I've got it wrong :-)
Please <http://erights.org/talks/thesis/>, especially sections 8.1, 9.3, and
9.4. Comments appreciated!
Text by me above is hereby placed in the public domain
More information about the cap-talk