It has long been held that anything capabilities can do ACLs can also do. This
is not the case, and the most obvious counter example is this: if Alice wants
to give Bob access to some file, say, then in an ACL system all Alice needs to
do is add Bob to the ACL for that file. ACLs cannot prevent Alice from giving
access to Bob.
In a capability system, Alice also needs a capability giving access to Bob
in order to pass him the capability to the file[12]. Furthermore, it must be a
capability whose API allows the passing of other capabilities.
The ramifications of this difference could form the subject matter of a whole
book, but I give some examples here.
No comments:
Post a Comment