[cap-talk] More Heresey: ACLs not inherently bad

Jonathan S. Shapiro shap at eros-os.com
Thu Sep 18 12:58:27 CDT 2008 

Let me try a concrete example, and let's see whether we can work through
that one.

We are trying to run a source code repository. We have two classes of
users of the repository: documenters and developers. We also have a
class of administrators who determine which users are in which class (or
possibly in both).

The desired policy is:

  1. All users in either group should have read access to all source
     files stored in the repository.

  2. In order to revise a file whose name ends in .c or .h, the user
     must be in the developer group.

  3. Similarly, in order to create a directory anyplace *other than* the
     "doc" tree, the user must be in the developer group.

  4. We require that every revision be able to record the principal ID
     of the responsible revisor.

  5. We require that membership of the groups be alterable, and that
     the effect of alteration applies to subsequent attempts to revise.

  6. The reference repository tree has integrity requirements that are
     assured by guaranteeing that the data set is only updated by the
     software configuration management server.

We are not concerned with proxying in this policy. If you agree to proxy
for me, you are taking responsibility and sooner or later we'll fire
your ass. The access control implementation is not required to implement
the company's human resources department, though if you feel especially
energetic we won't reject that submission. :-)

Now it is perfectly clear to me that this policy can be implemented with
capabilities very easily. This is true primarily because all decisions
are made at open time and we have defined the key policy requirement as
accountability tracing rather than access prevention.

But in the absence of system-wide persistence, it is also clear that we
need a way to capture the fact that the SCM server can touch the portion
of the filesystem that stores the repository even though I (a user of
the SCM server) cannot. That is where this is going to get hung up.


shap

More information about the cap-talk mailing list