[cap-talk] Capabilities and ACLs in Spring?
Mark Miller
erights at gmail.com
Sun Apr 6 04:38:58 CDT 2008
On Sun, Apr 6, 2008 at 12:37 AM, Venkatesh Srinivas <me at acm.jhu.edu> wrote:
> Hi,
>
> In the Spring System (from Sun), Objects can be named by capabilities;
> however, objects also have an ACL.
>
> The example in "An Overview of the Spring System" - there is an object
> whose ACL includes domain C but does include domain D; C can use the
> object freely, synthesize a cap to it, and hand it off to D. C can only
> synthesize caps with less authority than it has in the object's ACL. D
> can only use the object once it has a cap.
>
> Is there any good reason for this model? Any reason why Spring adopted
> it?
IIRC, Spring only had ephemeral capabilities, much like Unix has
ephemeral file descriptors. They were thought of only as a way to
efficiently cache ACL-based decisions. In any case, the only
persistent representation of permissions were ACLs. As caches, both
Spring caps and Unix file descriptors are unsafe -- they are not
invalidated by ACL updates. Therefore, had the system gotten more
reliable, it would have become less secure.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list