[cap-talk] Don't put capabilities in argv?
Kevin Reid
kpreid at mac.com
Sat Jul 12 20:51:25 CDT 2008
On Jul 12, 2008, at 21:10, Dean Tribble wrote:
> You could also follow the pattern in the "what if files were
> objects"examples and use "command < cap" to get the capabilities over
> a stream.
Hey, this generalizes. Given a shell at least as capable as bash, you
can pipe in multiple non-file sources. e.g.
foo-cap-receiver <(bar-cap-generator) <(baz-cap-generator)
and this eliminates needing to clean up temporary files. You just need
some command which takes some non-authority-bearing designation of the
actual capability (or already knows it, or determines it in some
application-specific way), and writes the capability to stdout.
Basically, all these read-from-specified-file schemes are introducing
a sort of c-list. The capabilities are referenced by filenames (~=
clist indexes), but not actually constituted by them. In the case of
<(...), the filenames are even a (sloppy) local namespace: /dev/fd/*
(or whatever it is on your OS).
A broken idea I just had:
Generate a symmetric encryption key. Write it to a well-known location
in the user's home directory. Encrypt all capabilities which might be
passed over argv.
This would work transparently -- until you try to delegate to anything
not in this account. Whoops.
--
Kevin Reid <http://homepage.mac.com/kpreid/>
More information about the cap-talk
mailing list