[cap-talk] erights wiki : ambient authority
David-Sarah Hopwood
david-sarah at jacaranda.org
Mon Jun 15 15:27:33 EDT 2009
Karp, Alan H wrote:
> David Wagner wrote:
>> Normally, ACL systems use ambient authority
>> (though I can imagine an ACL system that does not: e.g., where
>> with each system call you also specify which permission you are
>> exercising).
>
> Correct, but you need more to avoid confused deputy. In the classic example,
> Alice says cc(r:foo.c,w:log.txt). Bob ends up clobbering the log file even
> though Alice specified the authorities because she doesn't have to make a
> system call for the permissions she designates.
I think David Wagner was referring to an ACL system in which it is also
possible to transfer and use capabilities.
> Hence, a non-ambient authority system does not preclude confused deputy
> based on the definition I proposed.
Indeed a non-ambient authority system does not preclude confused deputy.
It only solves the problem that makes writing unconfusable deputies
impossible when they use only ambient authority.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list