From: Bill Frantz <frantz@pwpconsult.com>
Replying To: Ka-Ping Yee <ping@zesty.ca>
Date: Thu, 5 Dec 2002 14:46:01 -0800
Subject: Re: [e-lang] capability myths demolished!
 

At 5:21 PM -0800 12/3/02, Ka-Ping Yee wrote:
>On Tue, 3 Dec 2002, David Wagner wrote:
>> It depends what you mean by ACLs.  Some ACL systems can readily support
>> the same POLA story without requiring the involvement of the superuser.
>>
>> There's a key principle here:
>>   Programs ought to be able to voluntarily relinquish privileges
>>   before undertaking certain operations.
>
>Well, sort of.  But the way this sentence refers to "relinquishing"
>makes it sound like it's normal to pass on all the privileges you have,
>and we are happy if we can have the ability to just turn off a few things.
>It's not enough to have a system where you can "relinquish some" privileges.
>I'd rather talk about transferring only the privileges you need:
>
>    Programs ought to be able to invoke operations in a way that
>    conveys the least necessary privilege.

I agree fully, but this ability is only part of the required mechanism.
Programs also need to be able to bring their own capabilities to the party. 
Otherwise you can't write programs like the Unix password program.

And yes, setuid is far from POLA, but one can imagine much finer grain
privilege associated with programs.   In an ACL system, the program class
would have to have an entry in the ACL, which its instance inherits.  (I
use the term "class" to indicate the program in a bin directory, and
instance to indicate an executing copy of the program in memory.)

Systems such as EROS and E trivially have this ability. 

Cheers - Bill 


-------------------------------------------------------------------------
Bill Frantz           | The principal effect of| Periwinkle -- Consulting
(408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz@pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA


_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang