[cap-talk] More Heresey: ACLs not inherently bad
Karp, Alan H
alan.karp at hp.com
Mon Sep 1 16:19:41 CDT 2008
Shap wrote:
>
> I posit, for the moment, a "modified ACL system" [which I am tempted not
> to define, out of respect for tradition]. There is a first-class object
> that I will call Principal. Operations require both an Object reference
> and a Principal reference, and a predicate is applied to the (Object,
> Principal, Operation) tuple to determine whether the operation is
> permitted.
>
Your proposal seems to depend critically on how Object is designated. If Object is a file designated by its name, and Principal has read and write permission in the ACL, I don't see how you avoid confused deputy. On the other hand, if the designation of Object is to a facet of the file that denotes only read permission, using the ACL to deny that permission breaks encapsulation. That's not necessarily a bad thing if you want to support voluntary oblivious compliance.
One important point that came up in an earlier discussion about capabilities moving out and then back in through a membrane is that adding permissions is dangerous. In your approach, there is no(?) security risk in using the ACL to deny a right transmitted via the namespace, but I worry about using it to add rights.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
os-os.org/mailman/listinfo/cap-talk
More information about the cap-talk
mailing list