[cap-talk] confused deputy problem

[David-Sarah Hopwood]

James A. Donald wrote:
> Charles Landau wrote:
>  > In that case, this problem could have been solved by
>  > using the Principle of Least Authority, which does not
>  > require capabilities. It seems to me that to justify
>  > the subtitle "or why capabilities might have been
>  > invented", the compiler would have to need write
>  > access to the billing file.
> 
> The problem described, occurs in world that is quite
> unlike our present world.  The problem occurs in a world
> where a single CPU has many users, who do not trust each
> other.
> 
> In the present world, a single user has many CPUs, and
> does not trust much of the software that they are
> executing.  This is a different problem which calls for
> different solutions
> 
> The standard unix way of solving the problem described
> is that each program runs under a user's authority, with
> the full authority of that user, able to do anything
> that user could do.  So if the user could not write to
> the billing file, he could not command the compiler to
> write to the billing file.
> 
> This seems a fine way of solving the problem that
> occurred back then, a fine way of solving the problems
> we used to have.

The problem that a user should not trust much of the software
that they are executing also applied at that time; it was just
less obvious.

Conversely, sharing CPUs between users is at least as common now
as it ever was.

In other words, a system must solve both problems, and that was
always the case.

-- 
David-Sarah Hopwood