[cap-talk] More Heresey: ACLs not inherently bad
toby.murray at comlab.ox.ac.uk
Thu Sep 18 13:23:23 CDT 2008
On Thu, 2008-09-18 at 13:27 -0400, Jonathan S. Shapiro wrote:
> Which brings me to my *real* point, which is that ACLs appear to cover a
> real-world, non-contrived, and valuable use case that capabilities do
> not. ACLs may not be the only mechanism that does so, and they may not
> be the best mechanism for doing so, but it appears to me that *any* such
> mechanism must separate designation and authority, and if that is true
> then capability systems are either pure or practically viable, but not
Let's take the makefile example as such a use case. It's interesting to
note that I cited Plash as a way to solve it. I was proposing a
capability system *atop* a global namespace of the user's files w/ ACLs.
> > We know that capabilities provide much better
> > support for things that are far more important than supporting arbitrary
> > policies, such as POLA and writing secure programs.
> Perhaps. But we also know that capabilities cannot succeed if they
> cannot handle common use cases.
Aha, but here's the point. Maybe you can have your cake and eat it. A
cap system rendered into the form of per-process namespaces w/
delegation between them (ala Plash, Unestos/Asnix etc.) would appear to
give you the benefits of both worlds whilst avoiding the worst features
So perhaps I agree with you afterall but see we have (at least pointers
to) practical solutions in our grasp.
> since I've articulated that class of policies multiple times now,
> the burden rests on you to identify what it missing that you need to
Knowing what we don't know is no easy feat though. ;)
More information about the cap-talk