[cap-talk] Concening entry "ambient authority" in Wikipedia
david-sarah at jacaranda.org
Mon Jun 8 19:46:50 EDT 2009
Marcus Brinkmann wrote:
> Mark Miller wrote:
>> I would define an ambient authority system as one in which "If a
>> requesting entity requests an action that it is permitted to perform,
>> then the action is allowed." By contrast to a designated authority
>> system, in which "If a requesting entity requests an action that is
>> permitted by the subset of its permissions that it explicitly brings
>> to bear on the action, then the action is allowed." This formulation
>> also has the right paradoxical sense -- one can see why it was so easy
>> to think that ambient authority was a sensible architecture.
> I think that what is missing from this picture is how finely permissions can
> be described in the given system. For example, I don't see any reason why a
> traditional Unix kernel can not be interpreted under an object-capability
> glasses, as the object-capability model does not require that separable
> interfaces are actually separated.
A traditional Unix kernel grants significant authorities -- for example,
the ability to read world-readable files -- to all [*] processes, so it is
definitively not an object-capability system.
[*] if chroot is not considered part of "traditional Unix", which
strictly speaking it isn't (it first appeared in 4.2BSD, in 1983).
> In the same spirit we only need to use a
> very relaxed understanding of "bringing permissions explicitely to bear on an
> action" to come to similar conclusions about ambient authority.
> Without attempting a formal definition, I think that ambient authority
> actually is used here to describe systems in which the POLA design principle
> is rejected.
I don't see why you say that. The property that Mark describes (which
roughly coincides with my understanding of ambient authority) is entirely
independent of the granularity of permissions.
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk