Re: Names vs. Inodes

From: David Wagner (dawat_private)
Date: Sun Jul 22 2001 - 19:04:57 PDT

  • Next message: Greg KH: "Re: Names vs. Inodes"

    I'm not sure that the capabilities vs. access control lists distinction
    is as helpful as one might hope, when we're talking about interposed
    reference monitors that are neither part of the subject (e.g., the
    confined process) nor part of the object (e.g., the file on disk).
    
    ACL's are the case where permission-entries are stored with the object.
    Capabilities are the case where permission-entries are stored with
    the subject.  In SubDomain and similar approaches, neither applies,
    because permission-entries are stored with the interposed guard entity.
    
    You're right that there is also the issue of revocation vs. delegation.
    If subjects can delegate their own permissions to others without involving
    the OS, then delegation is easy but revocation is hard; if subjects must
    invoke the OS to delegate permissions to others, revocation is easy, but
    delegation is now controlled.  However, this issue is mostly orthogonal
    to the capabilities vs. ACL's axis.  In practice, almost all ACL systems
    provide controlled delegation (and hence revocation is easy), and many
    capability systems provide unmediated delegation (and hence revocation is
    hard), so in many people's minds, people conflate the two tradeoffs---but
    I see no fundamental reason why this must necessarily be so.
    
    Sorry to interrupt with the philosophical abstract musings.  Back to
    your regularly scheduled discussion...
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 20:24:18 PDT