[cap-talk] More Heresey: ACLs not inherently bad

Jed Donnelley capability at webstart.com
Wed Sep 17 20:36:14 CDT 2008 

At 02:07 AM 9/17/2008, Jonathan S. Shapiro wrote:
>On Tue, 2008-09-16 at 15:27 -0700, Jed Donnelley wrote:
> > Unfortunately, it reads to me as if what Jonathan is requiring is a
> > Unix compatible interface....
>
>Yes
>
> > It's interesting to me that this is about the same position we found
> > ourselves in at LLNL circa 1988.  We were able to argue from a
> > somewhat stronger position because we had already emulated our
> > previous operating system...
>
>Yes and no. Two issues:
>
>1. Jonathan is prepared to accept a hybrid system for the sake of
>compatibility, and then go on to avoid building any of the system layer
>security on the ACL mechanism.
>
>2. I still haven't heard a credible answer to the sharing problem that
>doesn't reconstruct ACLs.

I don't understand what you would consider "credible".  A system like
NLTSS (and I presume KeyKOS and many others) did just fine with sharing
without having to use a single large directory naming structure with
access restricted by "user".  Perhaps you can suggest an example of
something that can't be done with simple objects such as directories
and files referred to by capability (reference that binds designation
with authorization).  A concept like "deep read-only" (called "sensory"
in KeyKOS and "inheritance" in the Elephant storage system and "free
access" in NLTSS with very slight variations in semantics) can allow
one to do broader sharing with a single directory structure (e.g. mixed
read-only and read-write for some base capabilities vs. deep read-only
for others), but for me the real question is whether there is a "credible"
requirement for the kind of large directory sharing that you've put
forward Jonathan.  Unix uses such a structure, but to me that's because
it's there (ACLs).

Is there anything that produces the requirement other than Unix
compatibility?  I agree with those who suggest that capability
references are easier for people to understand than ACLs,
particularly in a network environment.  Capability references
are a simple concept that can be managed locally vs. something
like ACLs that seem to require a global administrative environment.

Lacking any requirement other than Unix compatibility perhaps this
topic isn't worth discussing further?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list