[Cryptography] Do capabilities work? Do ACLs work?

Jerry Leichter leichter at lrw.com
Thu Feb 12 13:38:43 EST 2015 

On Feb 12, 2015, at 3:12 AM, Rob Meijer <pibara at gmail.com> wrote:
> The reason Unix uses ACLs is because it was conceived in a time that it was suitable for time sharing systems where the software was trusted but other users could not. The model however is completely useless when as is mostly the case, the users can be trusted but the software they are running can not.​...
I doubt this explanation.  The reason Unix (and Windows, and VMS) went with ACL's is that they were a relatively simple extension to what they already had:  Information on the files that defined access for well-defined groups of users.  Files were already persistent and already had all kinds of metadata associated with them.  The mechanisms for checking access at the time of access were already there and organized as "does the currently running user have access to this file".  File systems fit in a hierarchy and there was a model (more complex than most people thought, and somewhat different on the various systems) for how access to directories influenced 
access to files and directories under them.  Commands were organized around access to groups of directories and files - only specialized commands saw "user" or "group" as an object at all, and they usually didn't have easy ways to do things to multiple users or groups at once.

So adding ACL's was relatively simple and fit nicely with what was there.  Adding capabilities would have required some top-down redesign, and users would have to learn entirely new concepts.

BTW, not all ACL systems are the same.  The Unix ACL system is in a way just a glorified extension of the existing group system.  The VMS ACL system was much more elaborate and interesting.  I haven't looked at in years, but among the things you could do were:

- Associate an ACL with an executable that would be granted to the process while that executable was running.  This is setuid/setgid taken to the ultimate level.
- Associate an ACL that would send an alert to the security logs if various actions touched the ACL - from attempting to remove it to even just looking at it.
- Make ACL's non-browsable.  If you knew the exact ACL (and had the appropriate privileges) you could change it, but wildcards wouldn't show it.  On the other hand, even if you couldn't see an alarm ACL, it could still raise an alert.  That is:  You could plant invisible trip wires anywhere you wanted in the file system.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150212/f5709be5/attachment.html>

More information about the cryptography mailing list