[cap-talk] Confused Deputy, multiple authorities - Norm?

Charles Landau clandau at macslab.com
Tue Oct 24 18:49:27 CDT 2006


At 1:30 PM -0700 10/24/06, Jed at Webstart wrote:
>At 08:57 AM 10/20/2006, Charles Landau wrote:
>>Here is one way to see the difference between passwd and Norm's
>>compiler example. The compiler cannot protect its statistics file,
>>without resorting to checking that the name of the output file
>>provided by the user is different from the name of the statistics
>>file.
>
>That is system dependent.  If the compiler could check the users
>UID (as in the Unix case) then the compiler could solve the Confused
>Deputy problem in so far as that ambient authority model goes.
>
>If the compiler could know the users UID it could check to insure
>that the user had write access to their debugging information file.

In general, user X shouldn't be able to find out whether user Y has 
access to object Z. Whether Y has access to Z is information that Y 
should be able to keep private. Your proposed solution is not a 
direction we want to go in.

>For
>example where the UID of the service (e.g. an SUID compiler) doesn't
>have read (x) access to a directory in which there is a file that
>it's UID has write access to but the user's UID does not.

You seem to be saying that even in Unix, knowing the user's UID isn't 
a good solution.

>If the passwd command can be induced to change a password
>other than the user's, then the passwd command has been
>"confused".

Just as, for example, the "dining philosophers" problem does not 
refer to just any situation in which actors interact, but rather to a 
very specific problem, I do not take the term "confused deputy" to 
mean any situation in which a service is confused. (It has already 
been pointed out that the name "confused deputy" is imperfect.) I 
take the term "confused deputy" to mean a situation in which a 
service fails to enforce its intended security policy because, 
lacking capabilities, it has no natural way to express the notion 
"take this action, but only by the authority vested in me from this 
source".

It may or may not be possible to express that notion in Unix, but 
even if possible, it doesn't seem to me to be natural or easy.

>We could ask whether the term "Confused Deputy" should be limited to
>the case where the Deputy has no way to determine what the
>appropriate authorization for the client is or whether the "Confused
>Deputy" should apply to the more general case.  I believe the
>Wikipedia article is using it in the broader sense.

I see no value in taking the more general case, and it has little to 
do with capabilities.

>Perhaps we should hear from Norm about whether he'd prefer the term
>he coined to be used in his original narrow sense on in the more
>general sense used in the Wikipedia article?



More information about the cap-talk mailing list