[cap-talk] Bee Eyes (was: "ACLs don't" paper rejected from Oakland 09)
Bill Frantz
frantz at pwpconsult.com
Thu Feb 5 16:42:42 EST 2009
capability at webstart.com (Jed Donnelley) on Thursday, February 5, 2009 wrote:
>Incidentally, have any others seen this:
>
>http://neil.brown.name/blog/20041206170240
>
>(speaking of Unix access controls). I find it interested in being a
>more or less first principles effort to "reform" Unix access
>controls. Doesn't exactly result in object/capabilities, but it
>seems to me that what he is looking for can be achieved with
>object/capabilities.
A lot of his thoughts are similar to the way we arranged user directories
in KeyKOS.
One thing that bothers me about his essay is that it only addresses file
access. IMHO, file access is a relatively narrow and uninteresting part of
the access control problem. More important is access control for active
entities, call them servers, daemons, databases etc. These include things
such as CVS, MySQL, Apache etc. etc. Perhaps he will discuss them when he
discusses the setuid bit. It still seems likely to me that the result will
be a separate form of access control for active entities, with different
syntax and semantics. Oh well.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | There are also no libertar- | Periwinkle
(408)356-8506 | ians in financial crises. | 16345 Englewood Ave
www.pwpconsult.com | - Jeff Frankel | Los Gatos, CA 95032
More information about the cap-talk
mailing list