[cap-talk] Capabilities - the rub, an account

Eric Jacobs eric at theeric.com
Wed Nov 15 21:29:42 CST 2006

On Wed, 15 Nov 2006 17:33:28 -0800
Jed Donnelley <jed at nersc.gov> wrote:

> We talk a good line about revocable capabilities, membranes and
> such.  We all know how such mechanisms can work in capability
> systems.  However, consider capabilities in the light of what I hear
> are the absolute minimum access control/audibility requirements
> that many (most?) people dealing with computer security demand,
> including:
> 1.  It's possible to look at the access control data on the system
> and determine who has access to what (both starting from who
> and finding what or starting from what and finding who),

I agree. "Who did I delegate my access to" seems like a pretty
fundamental query to any practical capability-based system. Perhaps
it was me filling in the gaps, but I always imagined that this sort of
facility would be part of the system.

> 2.  It must be possible to audit the system - find out who gave
> what to who.  I'm not sure today's market leading systems
> (e.g. Unix, Windows) actually succeed in this area, but it's
> one that certainly gets a lot of lip service).

"...and who did they delegate access to?" is a logical follow-on
question. This isn't the same class of question, though,
because we can assume that "who"'s are not confinable, and thus
we not be able to have a complete answer. But "who did they claim
that they delegated access to" is a reasonable query.

I believe these concerns could be addressed by simply having the default
system policy be that objects share their own delegation lists with 
whoever delegated them that capability. The policy could be overriden
by a determined user, of course. I think you would call this
Voluntary Oblivious Compliance.

> I'm not going to be able to finish this message this evening
> as cleanly as I would like.  I do think I need to send it off.
> Let me just say that I believe there is an issue with permanence
> of access control granting that I haven't seen covered effectively
> in capability systems.  Just consider the HP member of the
> board who was removed from the board.  He looses his account.
> Does that mean that all his delegations are removed?  Should
> it?
> If you argue that it should then it seems that all capabilities must
> be labeled at least with a person (like an identifier) so they can be
> revoked when the account is removed.  This would be a very strong
> sort of membrane like facility for all users.  I've never seen such
> implemented.  Others?

Probably me getting ahead of myself again, but I always thought that was
a fundamental aspect to these types of systems -- except that a capability
doesn't need to associated with  a personal identification; the intrinsic
identity of the capability would suffice.

My question is: why _wouldn't_ one want to run a system that did not
use such a membrane facility? What legitimate usage does a membrane

> On the other hand that would seem to suggest that only some
> sort of "superuser" would be able to grand permanent permissions
> (give permanent capabilities) that extend beyond their own accounts.
> That seems too much to me.

Why is it too much? This is my own computer. Why on earth would I
want to irrevocably delegate access to it to anyone else? What does
that gain me?


More information about the cap-talk mailing list