[cap-talk] E persistent capabilities - cross vat access control (was: theory vs. practice)

[Jed Donnelley]

At 07:46 AM 8/3/2007, Mark Miller wrote:
>On 8/3/07, Jed Donnelley <capability at webstart.com> wrote:
> > I can understand how file content that might be modified by
> > executing E programs will survive.  What I don't understand
> > is how that effects any sort of permanent sharing between
> > users - e.g. on a Unix system for example.  When the system
> > restarts all process state is lost.
>
>A persistent E vat checkpoints some of its state to its checkpoint
>file on the file system. Such a checkpoint file records the persistent
>capabilities that its vat holds to objects in other vats as
>cap-as-data URIs. So, inter-vat, E provides only cap-as-data security,
>both for ephemeral caps and for persistent caps.

Got it.  That was the part I was missing.  Thanks for persisting
in something that would have been a 20 second interactive discussion.

>...
> >
> > Now the Unix system reboots.  How does user MarkM
> > exercise his RW access to user Jed's file?  Perhaps
> > both user Jed and user MarkM have to initialize
> > E 'demon's that pick up the changed file state and
> > permit communication from user MarkM to modify user
> > Jed's file - e.g. through the vat mechanism on the
> > network?
>
>Yes, exactly. You got it!
>
> > I hope my question is clear.  There's something
> > fundamental here that I think I'm missing.
>
>Looks to me like you figured out the fundamentals I hadn't thought to explain.

Glad to get that much figured out.  Thanks MarkM!

--Jed  http://www.webstart.com/jed-signature.html