[cap-talk] What's "Discretionary Security" (was: Another "core" principle, capability communication)
Jed Donnelley
capability at webstart.com
Tue Jan 2 01:37:42 CST 2007
At 06:00 PM 1/1/2007, Karp, Alan H wrote:
>MarkM wrote:
> >
> > > Let's start with a plain conventional Unix ACL-ish example.
> > I create a file
> > > foo.txt. I choose not to give you write permission on this
> > file. Are we
> > > interacting using mandatory or discretionary security?
> >
> > how would you describe it using these terms?
> >
>Discretionary, but the example is flawed. How can you choose to give a
>subject write permission in a Unix system? In a Unix-like system where
>you can, it's non-discretionary if you want to grant write permission,
>but the grantee doesn't get it.
>
>Also, VOC is non-discretionary.
I'm sorry, but I really don't see the point of this discussion.
I believe I've read all the relevant messages and responded
where I could contribute before. I still haven't seen anything
that dissuades me from this basic point:
Any access control is discretionary from one viewpoint (that
of whoever sets up the control) and mandatory from another
(that of some subject potentially blocked or permitted
by the control).
When it comes down to it, the essence of "mandatory" access
control seems to be that a subject with a permission must
not be allowed to grant that permission to another subject.
In that sense it is antithetical to the object-capability
paradigm and to the reality of the issue of communicating
conspirators.
To me it's really nonsense. I hope somebody can provide even
a modicum of meaning in it for me at some point.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list