[cap-talk] Examples where ACLs are a better solution than capabilities
Jed Donnelley
capability at webstart.com
Mon Oct 8 12:09:09 EDT 2007
At 01:18 AM 10/8/2007, Jonathan S. Shapiro wrote:
>On Sun, 2007-10-07 at 21:32 -0700, Jed Donnelley wrote:
> > >The problem with either-or systems is that things slip through the
> > >cracks where (a) the two systems have been configured in subtly
> > >different ways, or (b) the overlap in what the two systems can express
> > >is imperfect.
> >
> > I think I'm starting to get sick. I believe we have evidence of
> > reasonably successful ACL systems and reasonably successful
> > capability systems, but I know of no even moderately successful
> > mixed systems. Perhaps MarkM can help us out here with some
> > examples that successfully occupy this space?
>
>Jed:
>
>I was not advocating the hybrid. I was stating that if you are committed
>to doing the hybrid there is a bad way and a worse way to do it.
Whew. I seem to recall some references from MarkM about that
hybrid approach, but so far it has all seemed too complex to
be worth the cost to me. That's one reason I like the Horton
mechanism. It's pure object/capability, but still achieves
many (most, all? below) of the values of ACL systems.
>Concerning non-overlap, the concrete case I was thinking of was the
>"port number below 1024" vs. the UNIX permissions. Historically, *every*
>program that tried to straddle that boundary got it dreadfully wrong
>again and again and again.
I'm not sure I understand the above reference. You are referring
I believe to the ID (root only) based access to low port number
in Unix systems. That much I think I understand. What do you
mean by programs that "straddle that boundary" and thus create
problems? Perhaps programs that might communicate an open
port as an open file descriptor - as a "capability"? If so
I'm not aware of programs that messed up in that space. Maybe
you could mention an example or reference or...? Thanks.
> > Of course one of the main points of Horton was to demonstrate
> > that we can achieve the main values of ACL systems with pure
> > capabilities. Presumably then the examples where ACL systems
> > are a better solution go beyond what a mechanism like Horton
> > can supply.
>
>I confess that I have not had time to read the Horton paper, but the
>last time we had this discussion we all concluded that the membrane
>approaches had storage allocation and transitivity issues that were very
>difficult to resolve without GC. This made these approaches ill-suited
>to OS-style capabilities.
I'm sure you're trying to be compact in your writing, but I'm afraid
I have to ask - by GC do you mean "Global Common" (my best guess) or
something else? Sorry for not understanding what you are getting at.
Perhaps MarkM can answer more quickly.
>If this remains true, then the claim that Horton addresses the ACL
>objectives seems excessive. On the other hand, if you have a solution I
>should really go read the paper.
>
>Do you?
When I better understand the problem perhaps I can answer. Of course
I do want to understand this issue.
Certainly we claim that the Horton mechanism does provide the
auditing value of identity based ACLs. If there is something
about the implementation (any possible ocap implementation?)
that makes a Horton sort of "solution" to the identity/ACL
auditability need unworkable, then I'd like to have a clearer
picture of the problem. In that case I believe we should have
included such a discussion in our limited space in the paper.
Perhaps we can redress that omission in a future paper if
we can clarify the issue.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list