[cap-talk] Concening entry "ambient authority" in Wikipedia
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Wed Jun 10 18:48:47 EDT 2009
David-Sarah Hopwood wrote:
> Marcus Brinkmann wrote:
>> David-Sarah Hopwood wrote:
>>> Undeniable authorities. They are not capabilities, nor are they accessed
>>> via capabilities.
>> This does not appear to be true, as is easily demonstrated. The capability
>> name space is the interrupt vector, and the UNIX capability is capability
>> number 0x80 by convention. The messages are marshalled in registers and
>> memory buffers, and the send+receive instruction is "int CAP" where CAP is the
>> capability name.
>>
>> This capability can be intercepted and denied by using the ptrace interface,
>> as is done by programs such as strace, fakeroot or faketime (20 lines of code
>> for the latter).
>
> ptrace is not part of the traditional Unix security model.
Well, I am not old enough to remember that.
> In the original
> design, kernel calls were universally available primitives. If you add the
> facility to intercept kernel calls in a way that supports process isolation,
> then you can potentially implement a capability system in terms of that
> (this is almost a triviality; it applies to essentially any system with an
> interceptable kernel interface in which user processes can only affect each
> other via the kernel).
>
> However, an instance of a Unix system that is not *in fact* intercepting
> kernel calls in such a way as to implement capability rules -- even if the
> facilities to do so are in principle available -- is not a capability
> system, and in that case its authorities are not being accessed via
> capabilities.
In this case, which particular requirement of a capability system is not
fulfilled?
Thanks,
Marcus
More information about the cap-talk
mailing list