[cap-talk] More Heresey: ACLs not inherently bad

[Jonathan S. Shapiro]

Arrggh. Let me try this again.

There exists a sharing problem that ACLS uniquely solve, and that
appears to *require* the de facto separation of designation and
authority. It is possible to solve this problem on top of a pure
capability substrate, but only by implementing a filter whose net effect
is to simulate the behavior of ACLS or something very close to them.

Problem:

Alice, Bob, Henry, Elmo, Oscar, and so forth are involved in a task
that requires that all of them manipulate and modify some object
graph. By "manipulate and modify", I do not mean merely that they
modify the leaves of the graph. I mean also that they modify the
structure of the graph itself. It is required that the parties be
able to have different access rights on different subgraphs.

Note that because the graph itself is being modified, making
replicates of the graph for each party is infeasible. This devolves
to the distributed filesystem problem. The proof by example that it is
possible to manage this problem was once called RFS. The existence
proof that users will not tolerate the cost of such consistency is
called NFS.

Note further that the implementation of per-party access right
distinctions cannot be achieved by capability-based permissions
within the graph. If we downgrade some cap to prevent Alice from
accessing a subgraph, all other users will also be downgraded because
the structure is shared.

So far as I can tell, the only workable method for solving this problem
is mediation of all accesses to the graph in a per-client-user fashion.
While this can be implemented by user-mode code on top of a capability
substrate, it appears to me that this emulation constitutes, for all
practical purposes, an access control list.


shap