[cap-talk] Confused Deputy (definitions)

[Ka-Ping Yee]

On Wed, 25 Oct 2006, Jed at Webstart wrote:
> > > If D can access "A" with U's authority
> > > for the purposes of the request by U (as many have discussed in the
> > > case of Unix), then isn't this limited "Confused Deputy" problem solved?
> >
> >That's what 2a is about.
>
> I understand.  However, in the case of Unix it seems that there is such
> a means (though awkward as some say).  From the viewpoint of a Unix
> programmer/user this problem has been known about and dealt with
> adequately for years.  Why do we need capabilities?

Norm talks about this a bit in his article:

    http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html

|   The system was modified by providing a new system call to *switch
|   hats* which could be used to select one of its two authorities. Note
|   the increase in complexity! The compiler would then be able to use
|   its home files license or the invoker's license explicitly--in the
|   later case, for example, saying "by the authority vested in me by my
|   invoker I hereby request the opening of (SYSX)BILL" which would then
|   properly fail. It soon became clear, however, that more than two
|   "authorities" were necessary for some of our applications. A further
|   problem was that there were other authority mechanisms besides
|   access to files. Generalizations were not obvious and the
|   modifications to the system were not localized. (Exercise for the
|   reader: Show that access lists do not solve this problem.)
|
|   Another indication of poor design is that disparate mechanisms were
|   necessary to arrange separately that the compiler (1) know what file
|   to write on and (2) be authorized to write on that file. The crime
|   was perpetrated through unintended application of the compiler's
|   authority over SYSX when writing the user's data. (If you try to
|   solve this problem without capabilities, remember that the file
|   (SYSX)STAT must also be protected.)


-- ?!ng