On Mon, Sep 27, 2010 at 07:15:25AM +0300, Jukka Ruohonen wrote: > On Sun, Sep 26, 2010 at 08:48:45PM -0400, Perry E. Metzger wrote: > > They did Chrome in the paper, and it required very few lines of code > > (under 100). They did other tests too. It appears that they've had > > quite a bit of success in creating a very usable API here. I'm not > > entirely surprised, given the nature of what they're doing. > > Just a little historical remark. > > I am little puzzled why Watson et. al. did not bother to mention Linux > capabilities that have existed for a long time. The Linux API is almost > identical to the one proposed in the "capsicum" paper. And yet, Linux > capabilities are seldom used.
AFAICT, POSIX capabilities have nothing at all to do with capabilities as implemented in Capsicum, EROS, et cetera. This is explained in the "Linux kernel capabilities FAQ", <http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt>. Searching in Google for "POSIX capabilities" (without the quotes) turns up many interesting pages. One is the article (comment on an article?), <http://lwn.net/Articles/212962/>, "POSIX 'capabilities' are fatally flawed in a way that real capabilities are not." The contributor argues for the comparative ease of use of a "real" capability system. I tend to agree that a capability system is potentially much more usable than the best possible system based on other access controls. Dave -- David Young OJC Technologies dyo...@ojctech.com Urbana, IL * (217) 278-3933