[cap-talk] A better reference for the"capabilities propagatetoo easily" argument

Mark Miller erights at gmail.com
Thu Aug 2 12:12:47 EDT 2007

On 8/2/07, Karp, Alan H <alan.karp at hp.com> wrote:
> If either party in a rights transfer from one to the other determines
> whether or not the transfer succeeds, then the control is discretionary.
> If some third party determines the success of the transfer, then the
> control is mandatory.

In a conventional ACL system, Alice creates file F. Alice is the
initial sole owner of F. Alice gives Carol write permission. Alice
chooses whether or not to "chown Carol F". It does not matter for this
scenario whether this results in Alice sharing ownership with Carol,
or whether this results in Carol being the new sole owner.

Carol then attempts to give Bob write permission. The attempted
transfer of permission from Carol to Bob does or does not succeed
depending on Alice's choice. Therefore, by the definition proposed
above, conventional ACLs can express and implement mandatory controls.

Text by me above is hereby placed in the public domain


