[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

David Wagner daw@mozart.cs.berkeley.edu
27 Jan 2001 00:52:28 GMT

Mark S. Miller wrote:
>I think everyone's been missing the more important way in which this example 
>is broken -- the identity of the "you" in "you can hand off just read 
>permission".  It's only root or the owner of file, not everyone who *has* 
>read permission.  This isn't delegation, it's simply ACLs.

I can't agree.  This may be a limitation of Unix, but it is
not fundamental to ACL's.  Don't confuse accidental limitations
of implementations with fundamental limitations of the concept.

I claim it is trivial to extend the Unix OS to allow anyone who
has read permission to delegate read permission to anyone else.
Imagine we had a delegate() syscall, with following example usage:
   fd = open("/tmp/foo", O_RDONLY);
   delegate(fd, rcvr);
where `rcvr' is a designation of the entity who we are delegating to.
(`rcvr' might be a uid, might be a pid, might be an object reference;
pick your favorite way of referring to entities.)  The
delegate(fd, rcvr) syscall should take the permissions used to open
`fd' and give them `rcvr'.  In the above example, `fd' was opened
O_RDONLY, so the kernel would add an entry to the ACL for "/tmp/foo"
allowing read permission for the entity `rcvr'.  This would require
a modification to today's OS's, but it's possible (maybe even easy)
to do.

The above is just intended as a rough sketch, maybe the details would
have to be tweaked a little, but there's no reason that you can't
implement this type of functionality on an ACL system.

Sure, the OS has to be built in a way that supports the type of
delegation you want to have.  It has to include a delegate() syscall.
If you look at the most commonly deployed ACL systems today, you
might find that they tend not to have that support.  But there is
no fundamental reason you can't add it if you want it.  There's nothing
inherent in the notion of ACL's that prohibits supporting delegate().

Of course, the main disadvantage of the above is that delegation
requires the participation of the OS -- you have to do a delegate()
syscall.  That may be a huge disadvantage of ACL's compared to capabilities,
especially in distributed systems.  But it also seems that this is
about the only fundamental difference between the two.