[cap-talk] More Heresey: ACLs not inherently bad
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Tue Sep 23 04:21:48 CDT 2008
At Mon, 22 Sep 2008 17:37:58 +0000,
"Karp, Alan H" <alan.karp at hp.com> wrote:
> Marcus Brinkmann wrote:
> >
> > Reauthentication is an extremely powerful notion in the context of
> > POSIX compatibility. For example, in the GNU/Hurd it is possible to
> > send a new capability to the ACL server to a process using a signal
> > message and have it reauthenticate all its file handles, for example
> > to elevate the privileges of your text editor so that you can save a
> > file that you edited in core with read-only access under the previous
> > ID.
> >
> We have seen several examples on this list where increasing the permissions of a capability leads to confused deputies. How do you avoid that problem?
I don't think that this is an example of a confused deputy, because
there is no deputy. Instead, the user just manages the authority he
has and distributes it among the programs he runs.
To be more specific: Since Ubuntu GNU/Linux encourages the use of sudo
rather than the use of a dedicated root account, I frequently find
myself in the situation where I am editing a system configuration
file, and can not save my changes because I forgot to invoke the
editor under sudo. Then I have to either save to a temporary file,
restart the editor under sudo, load the temporary file and save to
the right place, or I have to drop my changes, restart the editor
under sudo, and do everything again.
In the Hurd, I could just reauth the editor process and give it the
additional capabilities needed to make progress.
Of course, a powerbox design could make this even more user friendly.
The GNU/Hurd does not have a powerbox. Instead, its interface design
is POSIX oriented.
Thanks,
Marcus
More information about the cap-talk
mailing list