[cap-talk] Confused Deputies in Capability Systems - not
Bill Frantz
frantz at pwpconsult.com
Thu Feb 26 23:50:11 EST 2009
marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Thursday, February 26, 2009 wrote:
>Instead, in a Unix implementation the compile should use suid/sgid mechanism
>and access() to check user-supplied filenames. That is a robust mechanism to
>solve this problem that is provided by the operating system exactly for this
>use case.
Does this technique work in David-Sarah's example, where the client is
itself a deputy? Quoting:
> - what if the client is itself a deputy? In that case the compiler's
> check that the client has the necessary permission would succeed,
> even though the access should be denied unless the client's client
> also had that permission. Even if (unrealistically) we assume that
> the compiler were trusted to perform system-level access checks,
> its client certainly will not be.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
More information about the cap-talk
mailing list