[cap-talk] More Heresey: ACLs not inherently bad

[Charles Landau]

On 9/12 at 9:06 pm Jonathan S. Shapiro wrote:
> Arrggh. Let me try this again.
> 
> Problem:
> 
> Alice, Bob, Henry, Elmo, Oscar, and so forth are involved in a task
> that requires that all of them manipulate and modify some object
> graph. By "manipulate and modify", I do not mean merely that they
> modify the leaves of the graph. I mean also that they modify the
> structure of the graph itself. It is required that the parties be
> able to have different access rights on different subgraphs.

Some thirty messages later, I still don't have clarity on who gets to 
decide who has access to what.

For example, if Oscar has read-only access to leaf object L, and stores 
a reference to L in node/directory D, to which Henry also has access, is 
it possible that Henry could thereby acquire write access to L? In other 
words, can Oscar grant more authority than he himself has? If so, what 
security properties can be assured?

Without a clear statement of the problem, I don't see how we can help 
you design a solution.

If the problem statement is "it has to be Unix compatible", it's not 
surprising that Unix is the most efficient solution. The issue in my 
mind is, do you want to have *both* Unix ACLs and capabilities in the 
same system? I suspect the answer is yes. If so, do you want to have a 
kernel that handles both (twice as big), or do you want to build one on 
top of the other (inefficiency)?