[cap-talk] SPAM-LOW: Re: Confused Deputy (definitions), capabilities and Unix

Sandro Magi naasking at higherlogics.com
Thu Oct 26 19:28:21 CDT 2006


Jed at Webstart wrote:
>> It soon became clear, however, that more than two
>> |   "authorities" were necessary for some of our applications.
>>     
>
> However, seemingly NOT for any applications in Unix - my point.
> As I say, Unix has been this way for years and years and has
> managed to get by.  Why does Unix "need" capabilities again?
>   

I'm not sure whether "getting by" even accurately describes the
situation, or is very reassuring to companies that seek to secure their
multi-million dollar transactions. As Fred Spiessens and others have
recently hashed out, I think the core lesson of the Confused Deputy and
the subsequent advantage of capabilities:

   loosing the connection between the origin of the designation and
   the origin of the authority will result in confused deputies. When
   programming deputies, the ultimate advantage of capabilities is: that
   you don't have to keep track of this connection yourself.  
   Programmers tend to keep track only of the designation (functionality-
   minded as they are)

In other words, it makes secure programming *simpler*, more natural, and
thus, less error-prone. So why does Unix need capabilities? For the same
reasons Linux "needed" epoll, or HAL, or D-BUS, or any of the other
numerous "improvements"; to make it better in any and every way possible.

Sandro


More information about the cap-talk mailing list