[cap-talk] More Heresey: ACLs not inherently bad
Jonathan S. Shapiro
shap at eros-os.com
Thu Sep 18 13:49:11 CDT 2008
On Thu, 2008-09-18 at 19:23 +0100, Toby Murray wrote:
> On Thu, 2008-09-18 at 13:27 -0400, Jonathan S. Shapiro wrote:
> > Which brings me to my *real* point, which is that ACLs appear to cover a
> > real-world, non-contrived, and valuable use case that capabilities do
> > not. ACLs may not be the only mechanism that does so, and they may not
> > be the best mechanism for doing so, but it appears to me that *any* such
> > mechanism must separate designation and authority, and if that is true
> > then capability systems are either pure or practically viable, but not
> > both.
>
> Let's take the makefile example as such a use case. It's interesting to
> note that I cited Plash as a way to solve it. I was proposing a
> capability system *atop* a global namespace of the user's files w/ ACLs.
As I have pointed out at least twice, it's not a good example, because
it doesn't inherently involve multiple users operating in the same
object graph.
If the problem that you mean to address is how to get the appearance of
private sub-trees in a global file name space having multiple users,
then let that be the problem and forget about whether it's "make" or
something else.
At the moment, I do not see that plash solves this, because it does not
(so far as I know) respect updates to the respective group lists.
shap
More information about the cap-talk
mailing list