[cap-talk] More Heresey: ACLs not inherently bad
Charles Landau
clandau at macslab.com
Wed Sep 10 17:58:27 CDT 2008
Jed Donnelley wrote:
> At 08:30 PM 9/9/2008, Charles Landau wrote:
>> Yes, the sub-directories must also be different, unless they happen to
>> grant the same access...
>> Each time you pass a different set of capabilities to a process, you
>> construct a new directory-like object that will give access to that set.
>> So in general, different processes will receive capabilities to
>> different directory-like objects. It needn't use Horton.
>
> Unless I'm not understanding something, it seems to me that it
> must be essentially Horton in that any capability fetched
> through such a directory-like object given to "new process"
> must inherit the "new-process"ness of the capability it was
> given - so that future requests (e.g. more fetches) will return
> "new process" labeled capabilities and so that in turn when
> leaf node capabilities are finally returned they can have
> the appropriately limited access (that which should be granted
> to "new process" as opposed to "old process").
This isn't Horton, because the "new process" is free to delegate its
capability without any involvement of the directory-like object.
The directory-like object is just like a normal directory except that it
is built on the fly. It's only purpose is to address Shap's concern that
building a complete directory at the time the new process starts is "a
burden on program startup".
More information about the cap-talk
mailing list