[cap-talk] Save as Reducing the authority of a file browser in a capability OS.
David-Sarah Hopwood
david-sarah at jacaranda.org
Tue Dec 29 15:38:41 PST 2009
Rob Meijer wrote:
> On Tue, December 29, 2009 05:20, Kevin Reid wrote:
>
>> The relevant aspect of "Save As" in this discussion is choosing a new
>> filename/location for the document, not choosing the format.
>
> What might be interesting questions is, given the parallelisms to OOP,
> should '[Save] As':
>
> * Include some sort of private/protected/public flag.
No. The subjects that the file will be visible to, are the subjects that
have access to the part of the namespace where it is saved. Adding any
other kind of access control mechanism is redundant, and depending on the
details of how that mechanism is specified, may introduce confused deputy
attacks.
"protected" only has meaning in the context of inheritance, which isn't
involved here.
> * Allow to choose between the private per pseudo persistent process
> namespace, the 'static' per application+uid namespace, the semi global per
> uid namespace and the global multi user namespace?
The namespace that the user sees in a Save As dialog, is the namespace that
was given to the powerbox. It can include whatever the instantiator of the
powerbox wants it to include, in any organization. That's a matter of
policy.
> * Only create a named reference to a facet/caretaker for the always
> 'private' file?
Yes, the obtained capability for the file might be a revocable proxy, for
example. In the BrowserManager design I outlined, the membraned view of
the filesystem can enforce any desired attenuation of the granted file
capabilities.
> In my view the ideal solution would allow safe-as to create a
> facet/caretaker in the static,semi-global or global namespace, defaulting
> to a read read only facet /caretaker created in the semi-global namespace.
Whether the granted capability should be read-only depends on whether the
user selected to view or edit the file. Alternatively, if there is an
application framework controlling part of the app window (in particular
the File menu), then it is possible to ensure that the file is only saved
if, when, and where the user asks to save it.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20091229/48d489b6/attachment.bin
More information about the cap-talk
mailing list