[cap-talk] More Heresey: ACLs not inherently bad

[Marcus Brinkmann]

Hi,

At Tue, 23 Sep 2008 23:01:49 +0000,"Karp, Alan H" <alan.karp at hp.com> wrote:
> The essence of the confused deputy is that the deputy has no way to
> apply a different set of rights to different parameters because the
> deputy's identity is the only thing used to decide which permissions
> to use.  In this example, a person is making the policy decision of
> what rights to grant.  In an automated system, that would be a piece
> of code.  That code may be erroneous, but that's not the same as
> being confused in the sense of the compiler service in Norm's
> confused deputy example.

I misremembered the confused deputy example.  Thanks for pointing out
my error.

But frankly, what's the big fuzz then?  Every unix game that keeps a
system wide high score faces the same issue, and it's no big deal to
setuid the game and open the high-score (or compiler billing file)
under a different authority than the user's before dropping to the
user's ID and continuing.

Norm documented a couple of ways how to not do this (matching file
names with regular expressions, for example).  But this does not mean
that there isn't a better way to do this even in ACL-based systems.

> > Coming up with mechanisms and policies that reduce the risk for
> > confusion and still allow for a rich collaborative environment is a
> > challenge in any system, at many layers.
> >
> People have built such systems, and they have been used in
> production environments, from Plessy to KeyKOS to e-speak, and
> everything in between.  So, at least we have existence proofs.

Well, I'll raise that topic again when I can download Cubuntu.

Thanks,
Marcus