[prev in list] [next in list] [prev in thread] [next in thread]
List: cap-talk
Subject: Card Keys, capabilities, counters
From: Jonathan S. Shapiro jsshapiro () earthlink ! net
Date: 1998-03-18 5:47:45
[Download RAW message or body]
> After reading your essay and email, the Saltzer paper, and Hardy's
> sound bites, I have a follow-up question regarding your phrase
> "I can't go the other way around.", but I'll defer it for another email
> another day.
Greg:
I won't spoil the fun of thinking it through by giving away the
answer, but perhaps you might find a test problem or two helpful.
If you can solve these, you'll have shown that ACLs and capabilities
are really equivalent.
>From a purely theoretical standpoint, neither problem is solvable.
Given minor surgery to the ACL model, the first problem is
theoretically solvable. The second, as far as I know, is not. I am
not aware of an engineerable solution to either problem.
Don't let yourself get too frustrated.
Scenario 1:
Consider two processes A and B. A is a client application, and B is a
supporting component that A wishes to create and then use. If you
like, imagine that B is something in the style of an ActiveX control.
Imagine that A has authority to manipulate objects W, X, and Y (our
sample user hasn't created many files yet). It wishes to grant to B
the right to access X, but not W or Y. In addition, it wishes to
ensure that B never gains access to subsequently created objects Z,
Z', Z'', Z''' etc.
Challenge 1: Describe a conceptually sound solution to this problem
using only ACLs.
Challenge 2: Design an *efficient* primitive mechanism to implement
the key element(s) of your solution.
Challenge 1 cannot be solved in the pure ACL model, but *can* be
solved with relatively minor surgery to the ACL model.
Challenge 2 appears to be intractable. Dynamic allocation of kernel
data structures to solve the problem leads to kernel deadlock, and is
therefore not acceptable.
Scenario/Challenge 2:
Describe how to implement the UNIX passwd program within a purely
ACL-oriented model. Remember that the setuid mechanism in UNIX and
the program privilege table in VMS are bolt-ons -- they step outside
the ACL model.
shap
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic