[cap-talk] More Heresey: ACLs not inherently bad

Karp, Alan H alan.karp at hp.com
Thu Sep 11 11:16:22 CDT 2008 

Toby Murray wrote:

> Hence, there is no
> performance issue because the namespace is not built "per exec" but
> "per
> install".
>
The installation endowment.

Shap wrote:
>
> I think what is more likely is to see a convention in which parts of the
> directory tree are generally accessible but deeply read-only (e.g. /bin)
>
The installation endowment.

I contend the installation endowment is the only time you need to grant O(20+) rights.  Per execution is always(?) O(1).

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of Toby Murray
> Sent: Thursday, September 11, 2008 4:41 AM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] More Heresey: ACLs not inherently bad
>
> On Thu, 2008-09-11 at 05:47 -0400, Jonathan S. Shapiro wrote:
> > The performance issue is that building a per-exec custom directory
> > tree
> > potentially containing thousands of entries is prohibitive. This
> > certainly would not work in KeyKOS either.
>
> I'm having trouble visualising this problem.
>
> The directory tree visible to a program can be thought of as the
> namespace in which the program operates.
> Most programs assume a fixed namespace and are not written to handle
> arbitrary namespaces. The namespace in which a program expects to be
> brought to life is akin to a calling convention, no? These are
> generally
> very fixed. These are usually fixed at install time. Hence, there is no
> performance issue because the namespace is not built "per exec" but
> "per
> install".
>
> Hence, before worrying about the creation of arbitrary namespaces for
> "per exec" for programs, I'd like to see an example program that
> expects
> such a namespace, in order to demonstrate that this problem is real.
>
> Programs expecting arbitrary namespaces (such as virus scanners and
> search tools) are generally given read-only access to the user's entire
> namespace, avoiding this problem.
>
> I'm yet to be convinced that this is a real problem and can't quite see
> what the fuss is about. I'm hoping Jonathan can expand further on this
> concern.
>
> Cheers
>
> Toby
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list