[cap-talk] "ambient authority" on wiki.erights.org
Sandro Magi
naasking at higherlogics.com
Sat Jun 13 01:19:03 EDT 2009
David Wagner wrote:
> Think of "cp foo.txt bar.txt" vs "cat < foo.txt > bar.txt", for instance
> (an example I learned from Mark Miller, if I remember correctly). "cp"
> can only be implemented with ambient authority, and if you try to set
> the ACLs for "cp", you find that it needs authority to all of your files
> (because it needs to be able to handle any file you ask it to copy).
The other solution is provide more context when running commands, such
that the shell can interpret the intended meaning and provide only the
required permissions:
# prefixing arguments with ":" is interpreted as referring to the
# file system, and "+" means "grant permission", r for read, w for write
# the shell creates a new PrincipalId, adds read permission for
# foo.txt and write permission for bar.txt to the respective ACLs
# then revokes it after the program exits
cp +r:foo.txt +w:bar.txt
This essentially extends the shell language to deal with namespaces and
explicit permissions management. This shell programming can get
complicated quickly, and this ultimately ends up looking like
capabilities anyway, since they are so fundamental a concept.
Sandro
More information about the cap-talk
mailing list