Re: Capsicum: practical capabilities for UNIX

[der Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> POSIX.1e "capabilities" are actually coarse-grained OS privileges,

Not all that coarse-grained as compared to traditional Unix privileges!

> [POSIX-style "capabilities"] solve (or, in some cases, don't solve)
> an orthogonal problem in UNIX security: how to decompose root
> privilege.

Not all that orthogonal.  I'd say that they're really solving the same
thing, just in different ways and at different levels of granularity,
that "same thing" being the question of how to convert the single level
of privilege offered by the hardware (user mode versus kernel mode, in
Unix terminology) into something more useful.

Traditional Unix breaks this into three: kernel mode, root user mode,
and non-root user mode.  POSIX "capabilities" (which, based on what was
said upthread, are remarkably like VMS privileges) break it down a bit
further.  Capabilities in the sense everyone but POSIX uses the term :)
break it down even further and in a somewhat different way, but it's
still addressing the same basic problem: how to allow/deny access to
resources in a more useful way than the all-or-nothing way the hardware
provides.

> Capabilities in a classic security sense are unforgeable tokens of
> authority that can be delegated.

Sounds a lot like POSIX "capabilities" to me - it's just that the
authority comes in, as compared to non-POSIX "capabilities", relatively
coarse chunks and is passed around in a rather different way.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B