Monday, August 26, 2013

Designation is Authorisation

program – it needs to read the file the user wants to edit. How does it get the
capability to that file?
One answer is to have the system in possession of all-powerful capabilities:
for example, the capability to manufacture a read or write capability for any of
the user’s files. The system has a component which can interact with the user
to choose a file (in other words, a file open dialog). The system endows the
word processor with a capability to invoke this trusted component. When the
user chooses ”File/Open” the word processor invokes the file open dialog, the
user chooses the file they wish to edit, the dialog returns a read capability to
the word processor which can then display the contents to the user.
Contrast this with the situatation when using ACBR – from the user’s point
of view everything looks just the same: they choose File/Open, a dialog comes
up, they choose a file, the word processor displays the fie. But under the hood
something quite different has happened. The dialog returned the name of the
file, the word processor asked the OS to open it, the OS checked whether the
user was allowed to, and if so, opened it.
But suppose the word processor had ignored what the user chose and just
used a completely different file? Of course, this would work just fine under
ACBR. Indeed, the word processor wouldn’t have to ask the user to choose a
file at all.
But in a capability system the situation is entirely different - without the
user’s intervention, the word processor cannot read any files at all. Even with
the user’s help it can read just the file the user chose and no other.
A similar example comes from the Unix shell. Consider the standard Unix
cat command – it takes an argument which is the name of a file to read. In a
capability system, this would be translated into a capability to read just that
one file. The shell would do this on behalf of the user because the user had
designated that file by typing its name. Of course, the shell would have to have
access to the corresponding capability (or a factory that could make it) – which
would correspond the the ACBR notion of the user having permission to read
the file. No further checking of permissions would be required.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)