[cap-talk] SPAM-LOW: Re: Capabilities - the rub, an account

Sandro Magi smagi at higherlogics.com
Fri Nov 24 09:03:36 CST 2006

John McCabe-Dansted wrote:
> OTOH, the case for giving e.g. a data entry operator edit rights is
> much less clear. They have a clearly defined job, and delegating
> arbitrary rights is not part of it.

The fact that it has to be an either/or for universal delegation is a
little broken and inflexible don't you think? And whose to say what the
job may involve? Perhaps it requires delegation of certain rights but
not others. Every situation and every organization is different, and may
require more or less fine-grained authority management.

> This could be fixed with a change of culture rather than a change of
> security model. If there was good communication a one-minute trip to
> the IT guys office could have fixed this under ACLs.

And if IT was outsourced?

> The typical cap response, is that you *can* do things like attach a
> revoking or logging proxy to the cap before passing it on. This
> response does not convince the ACL crowd that caps are as good or
> better than ACLs, nor do I believe that it should. We need to convince
> them that  that innocent users *will not* pass rights the obvious way.

That decision doesn't necessarily need to be dictated at the admin level
though. Sometimes you want to pass a co-equal capability, and sometimes
you want a revocable version. In the end, capabilities enable greater
flexibility than you can attain with ACLs, but it obviously comes with
more danger.


More information about the cap-talk mailing list