[cap-talk] Persistence as a cap value
James A. Donald
jamesd at echeque.com
Thu Mar 20 18:06:04 EDT 2008
David-Sarah Hopwood wrote:
> How are the designations of accessible files
> represented in the project file?
>
> - they could be named (using a path or other
> forgeable name), but
> that would allow the application to add arbitrary
> names, regardless of whether user has specified
> them. That gives the application excess authority.
Permissions need to reflect user intent. Therefore,
user intent has to be indicated through trusted and
privileged user interfaces brought up through trusted
and privileged user interface software - the powerbox
user interface pattern. The ultimate source of
capabilities has to be UI modules such as the file
dialog, rather than each program itself bringing up its
own file dialog. I am proposing, in addition to a
trusted file open and save dialog, a trusted project
file list dialog.
In a POLA system, no application would have access to a
project file, unless the user gave it such access. Thus
ordinarily only the powerbox for managing project files
would have access to a project file, not any of the
applications launched by the project file, though any
editor could access it if the user chose to open it in
that editor through the file open dialog, for the file
open dialog would itself be a powerbox in a POLA system.
Thus in a POLA system, it would be entirely safe for a
project file to reference other files by their plaintext
easily forgeable pathnames.
More information about the cap-talk
mailing list