[E-Lang] ACLs + delegation

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 01 Feb 2001 07:48:29 -0500


David Wagner wrote:
> Insist that all security
> relevant operations make explicit under what authority the action is being
> requested.
> 
> For instance, if we consider the Unix open() call, my explicitness proposal
> would have it be changed to have the following interface:
>    int open(uid_t authority, char *file, int flags, ...);


Windows NT works this way. Empirically, it's a miserable failure,
because to make it work you need the ability to transfer authorities
across client/server boundaries. At that point, you end up with a
quasi-capability system where the capabilities name protection domains
that in turn you run an ACL system against. It's pretty much the worst
of both worlds.

Also, it provides absolutely no defense against the program itself being
compromised and made to run third-party code.

Jonathan