• Messages sorted by: [ date ][ thread ][ subject ][ author ] [ Next ]
• [ Previous ] In reply to: Karp, Alan

> We have a
> counter example to the statement that most capabilities never need to be
> created. Our e-speak Virtual File System must issue capabilities for each
> access right of each file it controls. (Here's where wildcards are used.)
> While any client over any session may need only a few capabilities, over
> time a substantial fraction of the possibilities will end up being
created,
> and each client may end up holding a substantial fraction of them

I suspect that what really happens is that over time, nearly every capability will be generated and used for a brief period of time and then permanently retired, never to be accessed again. In your design, I do not see that it is easy to retire the access lists when all processes have dropped their respective capabilities. This seems a potential source of security issues.

I'm also struck by your comment that clients may hold a substantial fraction of capabilities. Is this is a carryover from the Brevix internals? In any case, the violation of "least privilege" embedded in your statement is self-evident, and to me that is a serious concern.

How do you ensure that when a capability is no longer needed it is dropped?

Jonathan

[ Next ]
• [ Previous ] In reply to: Karp, Alan