[cap-talk] More Heresey: ACLs not inherently bad

Karp, Alan H alan.karp at hp.com
Fri Sep 19 15:35:11 CDT 2008


Shap wrote:
>
> System restarts. Bob goes to check something in to the SCM tree. Bob
> kicks off a copy of the SCM agent. SCM agent needs access to the tree
> that Bob does not have.  This access must be granted by some
> capability.
>
> On what basis does SCM gain access to that capability which Bob does
> not have?
>
The SCM runs as a service and gets its capabilities, including the tree update cap, the way all users get caps into their powerboxes at startup.  Alternatively, the SCM created the tree and all caps needed to manipulate it and persists those caps any way it chooses.  In either approach, Bob gets a cap to the tree update facet of the SCM service if he's allowed the authority to do updates.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of Jonathan S. Shapiro
> Sent: Friday, September 19, 2008 9:56 AM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] More Heresey: ACLs not inherently bad
>
> On Fri, 2008-09-19 at 15:54 +0000, Karp, Alan H wrote:
> > Shap wrote:
> > > However, I think your proposal extends to this fine, with only one
> > > challenge: how to ensure in a non-persistent cap system that only
> the
> > > SCM program has write access to the tree? I don't think this
> bootstraps
> > > without something ACL-like.
> > >
> > Sorry to be dense, but I don't see why the persistence of the
> permission state of the SCM is special?
>
> System restarts. Bob goes to check something in to the SCM tree. Bob
> kicks off a copy of the SCM agent. SCM agent needs access to the tree
> that Bob does not have.  This access must be granted by some
> capability.
>
> On what basis does SCM gain access to that capability which Bob does
> not
> have?
>
> Offhand, I cannot think of a scheme that is not identity based.
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk


More information about the cap-talk mailing list