[cap-talk] More Heresey: ACLs not inherently bad
James A. Donald
jamesd at echeque.com
Mon Sep 1 18:21:26 CDT 2008
Jonathan S. Shapiro wrote:
> The issue is that when any larger number of
> capabilities is transferred, an organizing (naming)
> scheme soon becomes necessary so that the two sides
> can keep them straight. And somewhere around O(20)
> capabilities, it becomes performance prohibitive to
> construct those organizations on the fly. As a
> consequence they cease to be transient, and we find
> ourselves looking at something that looks a lot like a
> name space or directory space that gets handed to
> *everyone*.
These are of course durable capabilities. Transient
capabilities, such as access to a file, are typically
O(1).
A system that relies on durable capabilities is going to
look a lot like a system in which chroot really can
control access to everything, and every program gets
chrooted and virtualized.
It is also going to look somewhat like a framework which
allows equivalent services to be interchanged - denying
access to a capability, and selecting which to use of
several capabilities that provide the same api being
closely related problems.
More information about the cap-talk
mailing list