[cap-talk] A better reference for the"capabilities propagatetooeasily" argument
Karp, Alan H
alan.karp at hp.com
Thu Aug 2 14:34:03 EDT 2007
MarkM wrote:
>
> In a conventional ACL system, Alice creates file F. Alice is the
> initial sole owner of F. Alice gives Carol write permission. Alice
> chooses whether or not to "chown Carol F". It does not matter for this
> scenario whether this results in Alice sharing ownership with Carol,
> or whether this results in Carol being the new sole owner.
Discretionary.
>
> Carol then attempts to give Bob write permission. The attempted
> transfer of permission from Carol to Bob does or does not succeed
> depending on Alice's choice. Therefore, by the definition proposed
> above, conventional ACLs can express and implement mandatory controls.
>
Mandatory.
The security community at that time assumed a special class of user
responsible for maintaining the integrity of the system. If Alice
wasn't in that class, they would call it discretionary because Carol
could ask Alice to transfer the right to Bob. However, once you get
away from the idea of an all powerful Oz, you need to introduce the
"point of view" piece. It makes sense. To Oz, everything is at his
discretion.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list