[cap-talk] confused deputy problem
Charles Landau
clandau at macslab.com
Tue May 27 11:32:07 CDT 2008
Norman Hardy wrote:
> Some readers of the paper
that would be "The Confused Deputy" at
http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
> reasonably presumed that the compiler needed
> write access to billing.
I was one of those readers. That error shows up in my contributions to
http://en.wikipedia.org/wiki/Confused_Deputy.
> The particular event that inspired the paper happened on a machine
> serving hundreds of users with 64MB total disk memory.
> Directories were expensive and the compiler lived in the same
> directory as the billing file and thus had write access that it did
> not need.
In that case, this problem could have been solved by using the Principle
of Least Authority, which does not require capabilities. It seems to me
that to justify the subtitle "or why capabilities might have been
invented", the compiler would have to need write access to the billing
file.
More information about the cap-talk
mailing list