[cap-talk] A better reference for the "capabilities propagate too easily" argument
erights at gmail.com
Wed Aug 1 23:58:51 EDT 2007
On 8/1/07, Toby Murray <toby.murray at comlab.ox.ac.uk> wrote:
> On Wed, 2007-08-01 at 08:58 -0700, Mark Miller wrote:
> > Again, I have no idea what you or anyone else (except Alan) means when
> > they say "discretionary" or "mandatory".
> Just for reference, (I believe this tallies with Jonathan's view as
> well, based on previous discussions here with him) from my
> point-of-view, the distinction between a mandatory and discretionary
> control is always decided from the perspective of the subjects involved.
> If a particular subject, S, has some say in the functioning of the
> control, then it's discretionary (from S's point of view). Otherwise its
> mandatory (from S's point of view).
I accept that this definition is meaningful and internally consistent.
However, it differs so completely from historical usage as to be worse
than useless. For example, by this definition, even a simple ACL
system implements mandatory security: If Alice creates file F, she
owns file F. If Alice does not put Bob on F's ACL, then from Bob's
point of view, his inability to access the file is mandatory. Try
telling any security person not on cap-talk that even conventional
ACLs implement mandatory security! (On second thought, please don't
Saltzer and Schroeder offer a different definition of "discretionary"
which is also meaningful and internally consistent. (AFAIK, S&S did
not define "mandatory".) It has the advantage of not being
point-of-view dependent, and it is arguably closer to being
historically correct because it precedes and helped form most of the
relevant history. It is:
"Our discussion . . . rested on an unstated assumption: the principal
that creates a file or other object in a computer system has
unquestioned authority to authorize access to it by other principals.
. . . We may characterize this control pattern as _discretionary_."
[emphasis in the original]
By this definition, after substituting "subject" for "principal",
conventional ACLs are discretionary whereas ocaps and MLS are
non-discretionary. But even though my thesis plays this word game (in
section 11.1), I don't think the term as defined here is a terribly
useful concept. I encourage us to stop using it.
Text by me above is hereby placed in the public domain
More information about the cap-talk