[cap-talk] confused deputy problem
James A. Donald
jamesd at echeque.com
Wed May 28 20:05:40 CDT 2008
Charles Landau wrote:
> In that case, this problem could have been solved by
> using the Principle of Least Authority, which does not
> require capabilities. It seems to me that to justify
> the subtitle "or why capabilities might have been
> invented", the compiler would have to need write
> access to the billing file.
The problem described, occurs in world that is quite
unlike our present world. The problem occurs in a world
where a single CPU has many users, who do not trust each
other.
In the present world, a single user has many CPUs, and
does not trust much of the software that they are
executing. This is a different problem which calls for
different solutions
The standard unix way of solving the problem described
is that each program runs under a user's authority, with
the full authority of that user, able to do anything
that user could do. So if the user could not write to
the billing file, he could not command the compiler to
write to the billing file.
This seems a fine way of solving the problem that
occurred back then, a fine way of solving the problems
we used to have.
More information about the cap-talk
mailing list