[cap-talk] Reducing the authority of a file browser in a capability OS.
Karp, Alan H
alan.karp at hp.com
Wed Dec 23 12:50:35 PST 2009
Rob Meijer wrote:
>
> In my view the 'least' authority is when the authority resides with the
> creator pseudo persistent process until the user 'explicitly' asks for a
> (revocable, optionally attenuated) cap to delegate to another process.
>From a permission analysis of your scheme, the user's powerbox does not have access to files created by the pseudo persistent process. However, the user needs some way to continue editing the file in a later session. In other words, the user's powerbox needs a capability to the pseudo persistent process that has the rw capability to the file. Hence, from an authority analysis, there is no essential difference in the rights reachable from the user's powerbox.
Your approach imposes a particular hierarchy on the way a user accesses a file, one in which the user selects the pseudo persistent process from a powerbox and then the file. The user could just as easily have structured the names in a powerbox this way, but might choose another organization. I don't believe there is any difference from a security perspective.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list