[cap-talk] erights wiki : ambient authority
Karp, Alan H
alan.karp at hp.com
Mon Jun 15 14:00:02 EDT 2009
David Wagner wrote:
>
> Normally, ACL systems use ambient authority
> (though I can imagine an ACL system that does not: e.g., where
> with each system call you also specify which permission you are
> exercising).
>
Correct, but you need more to avoid confused deputy. In the classic example, Alice says cc(r:foo.c,w:log.txt). Bob ends up clobbering the log file even though Alice specified the authorities because she doesn't have to make a system call for the permissions she designates. Hence, a non-ambient authority system does not preclude confused deputy based on the definition I proposed. Should the definition include "verified permission" or some such?
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list