[cap-talk] Confused Deputies in Capability Systems - not
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Fri Feb 27 09:34:17 EST 2009
Bill Frantz wrote:
> marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Thursday, February 26, 2009 wrote:
>
>> Instead, in a Unix implementation the compile should use suid/sgid mechanism
>> and access() to check user-supplied filenames. That is a robust mechanism to
>> solve this problem that is provided by the operating system exactly for this
>> use case.
>
> Does this technique work in David-Sarah's example, where the client is
> itself a deputy? Quoting:
>
>> - what if the client is itself a deputy? In that case the compiler's
>> check that the client has the necessary permission would succeed,
>> even though the access should be denied unless the client's client
>> also had that permission. Even if (unrealistically) we assume that
>> the compiler were trusted to perform system-level access checks,
>> its client certainly will not be.
No, but that has nothing to do with the compiler billing example as stated.
Thanks,
Marcus
More information about the cap-talk
mailing list