[cap-talk] More Heresey: ACLs not inherently bad
Jonathan S. Shapiro
shap at eros-os.com
Thu Sep 18 13:49:11 CDT 2008
On Thu, 2008-09-18 at 19:23 +0100, Toby Murray wrote:
> On Thu, 2008-09-18 at 13:27 -0400, Jonathan S. Shapiro wrote:
> > Which brings me to my *real* point, which is that ACLs appear to cover a
> > real-world, non-contrived, and valuable use case that capabilities do
> > not. ACLs may not be the only mechanism that does so, and they may not
> > be the best mechanism for doing so, but it appears to me that *any* such
> > mechanism must separate designation and authority, and if that is true
> > then capability systems are either pure or practically viable, but not
> > both.
> Let's take the makefile example as such a use case. It's interesting to
> note that I cited Plash as a way to solve it. I was proposing a
> capability system *atop* a global namespace of the user's files w/ ACLs.
As I have pointed out at least twice, it's not a good example, because
it doesn't inherently involve multiple users operating in the same
If the problem that you mean to address is how to get the appearance of
private sub-trees in a global file name space having multiple users,
then let that be the problem and forget about whether it's "make" or
At the moment, I do not see that plash solves this, because it does not
(so far as I know) respect updates to the respective group lists.
More information about the cap-talk