[cap-talk] Concening entry "ambient authority" in Wikipedia
James Morris
jmorris at namei.org
Mon Jun 8 18:48:55 EDT 2009
On Fri, 5 Jun 2009, Mark Miller wrote:
> On Fri, Jun 5, 2009 at 2:13 AM, Matej Kosik <kosik at fiit.stuba.sk> wrote:
> > Cannot it simply state that:
> >
> > "A subsystem is said to have *ambient authority* when, if we want to
> > determine its authority, we cannot rely on rules defined by
> > object-capability security model."
> >
> > Does everybody agree?
>
> Hi Matej,
>
> I agree that the current page is not good and needs improving.
> However, I strongly object to your suggestion. In light of XSRF and
> ClickJacking, the dangers of ambient authority leading to confused
> deputies is one of our most power rhetorical tools for criticizing
> current access control architectures. If we make a statement like the
> above, then the whole issue comes to be dismissed as "Well, we're not
> doing object-capabilities, so by definition we have ambient authority.
> So what? We already knew we weren't doing object-capabilities."
Agreed. It seems to me that ambient authority stands alone as a principle
which can be useful when analyzing all kinds of security schemes.
I recently wrote about SELinux sandboxing and ambient authority here:
http://james-morris.livejournal.com/41591.html
The aim being to identify the problem space, then explain how a
combination of MAC and the Unix file descriptor passing scheme can be used
to significantly (although not entirely) eliminate ambient authority, and
why this is important.
(Any critique of what I wrote would be welcome, btw).
FWIW, I checked the authorship of the wiki page before linking to it, and
while it seemed to have been written by experts in the area, it would be
ideal to have a truly canonical reference which could be understood by
people who are not necessarily security experts.
- James
--
James Morris
<jmorris at namei.org>
More information about the cap-talk
mailing list