[cap-talk] SPAM-LOW: Re: Confused Deputy (definitions), capabilities and Unix

Sandro Magi naasking at higherlogics.com
Thu Oct 26 19:28:21 CDT 2006

Jed at Webstart wrote:
>> It soon became clear, however, that more than two
>> |   "authorities" were necessary for some of our applications.
> However, seemingly NOT for any applications in Unix - my point.
> As I say, Unix has been this way for years and years and has
> managed to get by.  Why does Unix "need" capabilities again?

I'm not sure whether "getting by" even accurately describes the
situation, or is very reassuring to companies that seek to secure their
multi-million dollar transactions. As Fred Spiessens and others have
recently hashed out, I think the core lesson of the Confused Deputy and
the subsequent advantage of capabilities:

   loosing the connection between the origin of the designation and
   the origin of the authority will result in confused deputies. When
   programming deputies, the ultimate advantage of capabilities is: that
   you don't have to keep track of this connection yourself.  
   Programmers tend to keep track only of the designation (functionality-
   minded as they are)

In other words, it makes secure programming *simpler*, more natural, and
thus, less error-prone. So why does Unix need capabilities? For the same
reasons Linux "needed" epoll, or HAL, or D-BUS, or any of the other
numerous "improvements"; to make it better in any and every way possible.


More information about the cap-talk mailing list