[cap-talk] Capabilities - the rub, an account

Stiegler, Marc D marc.d.stiegler at hp.com
Sun Nov 26 15:35:39 CST 2006


 

> > "Considerable overhead", oh, lordy, yes.
> 
> Editing an ACL takes less than a minute. Basically the 
> overhead is in getting the attention of the sysadmin. 

Yes. The overhead is getting the attention of the sysadmin. That
overhead can be enormous. In large corporations it is usually enormous.
Why do we wish to make the sysadmin into a stumbling block for
activities for which he cannot possibly have any useful input? Why
should we assume that the goal of computing is to increase the amount of
effort we spend negotiating with each other? I thought the idea was to
automate the unpleasant things so we could have more fun :-)

> Arguably, users should chat to the sysadmin before delegating 
> non-trivial rights anyway, and the main problem here is the 
> barriers to communication between the users and sysadmin 
> rather than ACLs.

I find it inarguable that I know more about the correct utilization of
my rights than does a sysadmin. We all exercise our superior wisdom when
we send things in email without asking the sysadmin for their insights.
Unless you think email should be shut off, you actually agree with me
about this.

This discussion is virtually identical to the century long,
multi-billion dollar, multi-million human life lost debate in the field
of economics. It is the difference between the view that there is a
central wise group who should organize the lives of others, and the view
that people are in better positions to organize their own lives than the
immensely wise central bosses. In economics, the reason I can make my
own decisions better than the central wise man is that I have "local
knowledge", and the value of this local knowledge outweights whatever
greater insight the central boss may have. The belief that the central
wise man should always be consulted before taking action is known as
"the fatal conceit". The fatal conceit is a disease that most commonly
occurs in smart people: smart folk look around and see how badly other
people are getting by, and say, "I could run his life better than he
does"...and the smart person would be correct about that except that it
is a full time job to gather the "local knowledge" needed to run that
one other person's life. And so it is with decisions about those with
whom I should share my read and write access.

> 
> > I'm sorry,  but this is a
> > rationalization of a situation which is fundamentally broken.
> 
> Thats the cap POV.

No, it is the POV of everyone who has ever had to wait a month for a
sysadmin to take an action that obviously made sense to do immediately.
Or, yes, it is the cap POV, and all those millions of people who have
waited for their sysadmins are cap people, they just don't know it. If
they did know it, they would fire all the acl people from their
companies so they could get some work done :-)

> ...much elided

> This could be fixed with a change of culture rather than a 
> change of security model. If there was good communication a 
> one-minute trip to the IT guys office could have fixed this 
> under ACLs.

This is the acl POV. "Hey, no sweat, just change your culture to meet my
security specification. What's the big deal? It is your culture that is
broken, not my beautiful security policy." 

>...
> In any case this argument seems weak when applied to users. 
> The HP policy was too restrictive, however all major 
> corporations have policies about who their staff are allowed 
> to trust with their passwords, keys, access cards, etc. 
> Sysadmins can scan for malware that proxies rights. Users 
> usually don't set up proxies that share access to the company 
> database with their penpal. Users who know enough to set up 
> such a proxy usually know enough to know the risks.
> Just because it is possible to break company policy doesn't 
> follow that we should actively try to make it easier.

But such proxies are not in general malware. It only looks like malware
to a sysadmin because he is clueless about what folks are really doing.
But you're right, people don't generally build proxies. They use email.
Even though it is egregiously manually intensive to use email, it is
less egregious than getting the sysadmin's attention or changing the
culture.

>...

> > Note that, in the true life situation I described above, 
> the solution 
> > for getting better accountability is the same in both acl and cap
> > systems: the higher-level IT guy grants me my own authority 
> (either a 
> > cap or an acl entry) which is then logged separately from 
> the accesses 
> > done by my local IT guy. Or better, my local IT guy has an 
> authority 
> > to have a cap created and sent via email to my HP email 
> address, again 
> > a separately loggable cap.
> 
> Or equivalently, the IT guy has an acl-edit capability?

Sure. This whole discussion started with Jed's assertion that caps had
some problems that were solved by acls. A discussion of the advantages
of caps is separate; in matters like this I have principally been
arguing that caps are/can be/ just as good. Though, embarassingly
enough, in the examples I have given here, caps are actually better,
because they break the veil of illusion. With caps, it is not possible
for a central boss to confuse himself about what security policies can
be enforced and then make everyone's life harder by trying to enforce
the unenforceable, by forgetting-to-add/deciding-to-subtract the acl
editing authority that people need to do further delegation. Note that
they merely make life harder for the honest folk, they don't actually
achieve any better security properties against the malicious folk,
because, as you must be tired of hearing, people use email to circumvent
the central boss's cooperation-hostile policy anyway.

Another thing this discussion reminds me of is the internal corporate
wars that broke out when cheap copy machines were introduced (wow, you
have to be an old guy to remember this). Lots of bosses at lots of
companies were terrified that they would "lose control" of all the
company's sensitive data, because the malicious employee could make
copies of everything and send it to the newpapers and the competitors.
The truth, of course, was more complicated. On the one hand, cheap easy
copying did get used to steal sensitive data. But the overall benefit to
the company of having information easily widely disseminated inside the
company far outweighed the cost of the small increase in leaks. It
outweighed the risks so fiercely that I know of no company in which this
is even a matter of debate any more; only companies that embraced easy
copying survived the transition. Eventually, easy proxying will win out
in the same way, for the same reasons. This too is the same whether we
use caps or acls. It's just more obviously the correct thing to do when
you approach it from a caps perspective.

--marcs



More information about the cap-talk mailing list