[cap-talk] "ambient authority" on wiki.erights.org

[Rob Meijer]

On Thu, June 18, 2009 23:41, Karp, Alan H wrote:
>>   A system, containing at least three subjects, is said to contain
>>   /Ambient Authority/ when a designator (D) naming an object known to
>>   one subject (C) is shared between two other subjects (A and B) without
>>   accompanying authorizations.
>>
> Here's a counter example to your definition.  Alice runs the following
> program (in no particular language):
>
>     main(String a, String b){
>        copy(a,b);
> 	 return;
>     function copy(String outName, String inName){
>        File in = new File(inName,'r');
>        File out = new File(outName,'w');
>        out.write(in.read());}
>     }
>
> Alice has r/w authority to files a.txt and b.txt.  If Alice invokes this
> program as mycopy("a.txt","b.txt") intending to copy the contents of a.txt
> to b.txt, she's in for a surprise.  Alice does not specify which of her
> authorities are to be used because they are ambient.  I would say that
> Alice is the only party involved, but I won't squawk if you insist on
> counting the OS.  However, there is no way of counting that gets to three
> parties.

The example uses is rather obfuscated by implicit OS and language stuff,
lets de-obfuscate it a bit:

class FileSystem {
  static map<string,FileObject> mFiles;
  static openFile(string filename) {
     return mFiles[filename];
  }
}
function copy(String outName, String inName){
  File in  = FileSystem::openFile(inName);
  File out = FileSystem::openFile(outName);
  out.write(in.read());}
}
main(String a, String b){
 copy(a,b);
 return;
}