[cap-talk] Examples where ACLs are a better solution than capabilities

[Jonathan S. Shapiro]

On Sun, 2007-10-07 at 21:32 -0700, Jed Donnelley wrote:
> >The problem with either-or systems is that things slip through the
> >cracks where (a) the two systems have been configured in subtly
> >different ways, or (b) the overlap in what the two systems can express
> >is imperfect.
> 
> I think I'm starting to get sick.  I believe we have evidence of
> reasonably successful ACL systems and reasonably successful
> capability systems, but I know of no even moderately successful
> mixed systems.  Perhaps MarkM can help us out here with some
> examples that successfully occupy this space?

Jed:

I was not advocating the hybrid. I was stating that if you are committed
to doing the hybrid there is a bad way and a worse way to do it.

Concerning non-overlap, the concrete case I was thinking of was the
"port number below 1024" vs. the UNIX permissions. Historically, *every*
program that tried to straddle that boundary got it dreadfully wrong
again and again and again.

> Of course one of the main points of Horton was to demonstrate
> that we can achieve the main values of ACL systems with pure
> capabilities.  Presumably then the examples where ACL systems
> are a better solution go beyond what a mechanism like Horton
> can supply.

I confess that I have not had time to read the Horton paper, but the
last time we had this discussion we all concluded that the membrane
approaches had storage allocation and transitivity issues that were very
difficult to resolve without GC. This made these approaches ill-suited
to OS-style capabilities.

If this remains true, then the claim that Horton addresses the ACL
objectives seems excessive. On the other hand, if you have a solution I
should really go read the paper.

Do you?


shap