Re: Capsicum: practical capabilities for UNIX

[David Young <dyoung%pobox.com@localhost>]

On Mon, Sep 27, 2010 at 07:15:25AM +0300, Jukka Ruohonen wrote:
> On Sun, Sep 26, 2010 at 08:48:45PM -0400, Perry E. Metzger wrote:
> > They did Chrome in the paper, and it required very few lines of code
> > (under 100). They did other tests too. It appears that they've had
> > quite a bit of success in creating a very usable API here. I'm not
> > entirely surprised, given the nature of what they're doing.
> 
> Just a little historical remark.
> 
> I am little puzzled why Watson et. al. did not bother to mention Linux
> capabilities that have existed for a long time. The Linux API is almost
> identical to the one proposed in the "capsicum" paper. And yet, Linux
> capabilities are seldom used.

AFAICT, POSIX capabilities have nothing at all to do with capabilities
as implemented in Capsicum, EROS, et cetera.  This is explained in the
"Linux kernel capabilities FAQ",
<http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt>.

Searching in Google for "POSIX capabilities" (without the quotes) turns
up many interesting pages.  One is the article (comment on an article?),
<http://lwn.net/Articles/212962/>, "POSIX 'capabilities' are fatally
flawed in a way that real capabilities are not."  The contributor argues
for the comparative ease of use of a "real" capability system.  I tend
to agree that a capability system is potentially much more usable than
the best possible system based on other access controls.

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933