[cap-talk] More Heresey: ACLs not inherently bad

[Jonathan S. Shapiro]

On Wed, 2008-09-17 at 11:52 +0100, Toby Murray wrote:
> On Wed, 2008-09-17 at 05:07 -0400, Jonathan S. Shapiro wrote:
> > 2. I still haven't heard a credible answer to the sharing problem that
> > doesn't reconstruct ACLs.
> 
> I'm having trouble trying to work out in what real-world cases this
> problem would arise.

The earlier example of "make" was one example. The interesting point
about this example is that the filesystem sub-environment visited by
make is not isolated from the larger file environment of make's user.
The installation endowment doesn't work for make either.

The missing bit in make is that it is rarely useful for desirable to
have multiple users running make in a common directory tree. To
illustrate that we probably want something like a source code control
database (e.g. mercurial, svn).

But perhaps the clearest example is an object database, where pointers
need to be chaseable. In effect, the operational requirements dictate
that the pointers merely be pointers and the access control be imposed
by some form of overlay.

>  Secondly, I also wonder why something like Plash
> wouldn't suit your needs, given that it maintains the POSIX interface
> whilst allowing fine-grained POLA.

Actually, Plash is the thing that gives me hope that a viable approach
exists. To answer your question directly, the main problems I see with
plash are that it is incompletely integrated into the system and there
are elements in classic UNIX that do not fall within the file system
mechanism. I'm not clear whether Plash can mediate sockets, for example.

shap