[cap-talk] More Heresey: ACLs not inherently bad
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Wed Sep 24 17:51:40 CDT 2008
Karp, Alan H wrote:
> David Wagner wrote:
>> So my hypothesis is that the more seriously you take the principle
>> of least privilege(authority), the more you have to be careful about
>> confused deputy bugs.
>
> I'm not so sure. The compiler service necessarily needs the authority
> to read and write every file the invoker might specify as parameters.
No, if the parameters are capabilities then each instance of the compiler
only needs the authority passed by its actual parameters.
--
David-Sarah Hopwood
More information about the cap-talk
mailing list