[cap-talk] Whether principals' authority can increase
david.hopwood at industrial-designers.co.uk
Wed Sep 24 19:43:42 CDT 2008
Raoul Duke wrote:
>> The same inferences can be drawn from command line input.
> "Some user came to know the name (SYSX)BILL and supplied it to the
> compiler as the name of the file to receive the debugging
> information." 
> how does the ability to inference-and-add abilities save us?
That user only came to know the *name* (SYSX)BILL. They did not
themself have access to (SYSX)BILL; instead they relied on the
compiler's access to it.
So, if a shell acting on behalf of user U maps command line
arguments to capabilities based on U's authority, that would
not prevent capabilities from solving the confused deputy problem
in this case.
Note that in a typical capability OS, the system call that executes
a program does not take a string as the program's command line; it
requires a collection of typed parameters each of which can be a
capability. The filename->capability mapping would be functionality
only of the command-line shell, not of this system call. Even if a
'posix_spawn' or similar API is retained for compatibility, it
wouldn't perform this mapping.
More information about the cap-talk