[cap-talk] More Heresey: ACLs not inherently bad
Karp, Alan H
alan.karp at hp.com
Thu Oct 2 16:17:41 CDT 2008
Raoul Duke wrote:
>
> right -- so that seems to me to make the benefits gained from
> auto-inferring-capabilities not all that more exciting than just
> making programs setuid as the user invoking them. assuming correct
> implementations of those approaches, the compiler can only overwrite
> the billing file if the user has that ability.
But the compiler needs to update the billing file when it compiles a program. If you setuid as the user, then the compiler is working for free, which is not the model in the example. In fact, the compiler won't be able to exercise any rights not available to the user, such as updating its log file.
>
> maybe, however, there are programs which would want to be more than
> setuid as the user or something, making caps better? but then if it
> had some super cap the user didn't have that would be dangerous. so
> i'm not yet sure how auto-inferring is great. well, other than to say
> "we can do with caps what we already understand as familiar with
> setuid-as-invoking-user programs." which is a fine thing to say.
>
Here's an example I've been using. Alice wishes to use Bob's backup service, which is implemented by using Carol's copy service.
Alice: bob.backup(foo)
Bob: carol.copy(foo,bar)
Carol: copy(a,b) { b.write(a.read()); }
Show me how to do that with setuid without violating least privilege.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list