[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cap-talk
Subject:    Re: [cap-talk] an access control matrix model of capabilities
From:       Zooko <zooko () zooko ! com>
Date:       2003-05-31 19:46:15
[Download RAW message or body]


 Dave (not one of the Davids) wrote:
>
> Zooko writes:
> >I guess there might be an ACL system where having a privilege is not a 
> >prerequisite for granting it, but this would seem unusual to me.
> 
> Well, it is the basis of the Unix seteuid/setegid mechanism, so I'm not
> sure why it would seem all that strange.

Perhaps because the Unix seteuid/setegid mechanism seems strange to me.  ;-)

Hm.  Okay.  By the way, thanks also to Ben Laurie for raising this objection.

So the "key distinction" that I've been talking about [1,2] is, very informally:

"In ACLs it is whether you have a check mark in the appropriate column, 
 whereas in object-capabilities it is whether you have a check mark in *both* 
 the appropriate column *and* the appropriate row."

You have convinced me that in real ACLs the "appropriate column" is not the 
"has permission to write to ttys" column, but the "has permission to grant 
permission to write to ttys" column.

Object-capabilities *could* have a similar split between permissions and 
permissions-to-grant-permissions, but actual Cappists emphatically reject that 
notion -- the notion of a "Can-Delegate" bit.

So in the object-capabilities case the "appropriate column" is the actual 
"permission to write to ttys" column.

By the way, I very much like what Shap just said in this thread [3], that in 
ACLs, the permissions-to-grant-permissions are a separate kind of thing from 
the permissions, and can't be programmed with the same rules.  (If they could, 
then we would have to have permissions-to-grant-permissions-to-grant-
permissions.)

This contrasts with the simpler object-capabilities model where the question 
of whether a permission can be granted is resolved without the invention of a 
new kind of permission.

Regards,

Zooko

http://zooko.com/
         ^-- under re-construction: some new stuff, some broken links

[1] http://www.eros-os.org/pipermail/cap-talk/2003-April/001175.html
[2] http://www.eros-os.org/pipermail/cap-talk/2003-May/001205.html
[3] http://www.eros-os.org/pipermail/cap-talk/2003-May/001182.html
_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic