[cap-talk] Capabilities and LDAP (was Reducing Ambient user authority in a Type Safe /Memory Safe OS.)
David-Sarah Hopwood
david-sarah at jacaranda.org
Fri Dec 18 19:18:24 PST 2009
Monty Zukowski wrote:
>>> 3) Central Management- This also includes LDAP/AD/NDS tree integration.
>>> I still think you must provide this to get company acceptance. Getting
>>> people to move to Capabilities is a big enough task with adding social
>>> structure changes.
>>>
>> The problem is that people have conflated authorization decisions and access decisions. Once people
>> understand the difference, they'll see that they can still use LDAP to make authorization decisions and use
>> capabilities as the embodiment of those decisions. For example, users might worry about delegating to
>> someone who should not have the right. You can build a system that uses LDAP to help.
>
> I'm curious to understand what you mean there, how LDAP can be used to help.
>
> For the system we're building, the basic idea is that user info is
> stored in LDAP. We have sets of capabilities called capsets (think
> of a folder of bookmarks), and use those in place of groups. Group
> membership just means the user has been given the handle to a specific
> capset.
>
> Inside our system, we take the union of the capsets a user has as the
> real capset they have to work with.
If that means what I think it does (the system allows a request whenever
a subject has some capability that would satisfy it), then you've lost many
of the advantages of capability systems. To prevent confused deputy attacks,
it's critical that a subject is required to explicitly present the
capabilities that it wants to use with each request.
I'm also concerned when you say that *users* have capabilities.
Much smaller-grained subjects (e.g. processes or objects) should be able
to hold capabilities independently of whether they are acting directly
as agents of a user.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20091219/b83be0a1/attachment.bin
More information about the cap-talk
mailing list