[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

David Wagner daw@mozart.cs.berkeley.edu
25 Jan 2001 19:56:09 GMT


Ben Laurie  wrote:
>> There's nothing about ACL's that forces you to do all-or-nothing
>> delegation.  In fact, if you look at, say, Unix file permissions (an
>> ACL system), delegation is not all-or-nothing: you can hand off just
>> read permission, etc.
>
>I can? How?

That's what `chmod g+r G` does: Hand off just read access to the
file (not write access) to members of the group G.  It works even
if the owner has both read and write access.  It's most definitely
not nearly as flexible as I'd like, but it's not all-or-nothing,
either.

The OS has to be involved in the transaction.  If subject S has
rights R to an object O, and S wants to hand this off to
another subject S', S can ask the OS
  "add an entry to the ACL for O giving S' rights R for O".
More generally, if R' is a weaker right than R, and if S has
rights R to O, then S can ask the OS
  "add an entry to the ACL for O giving S' rights R' for O".
The OS has to support this functionality, of course, but there
is no fundamental reason that it cannot.

This is just delegation, and one can support delegation in either
a capabilities or an ACL setting.  The main difference is that
delegation in an ACL setting always requires the OS to be online
and available; in a capabilities setting, it need not require that.

In the case of distributed systems (where S, S', and the OS are on
three different machines), it can be useful to be able to delegate
rights without requiring all three machines to be online.