Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site axiom.UUCP
Path: utzoo!watmath!clyde!bonnie!akgua!whuxlm!harpo!decvax!linus!axiom!smk
From: smk@axiom.UUCP (Steven M. Kramer)
Newsgroups: net.unix-wizards
Subject: Re: implementing access control lists in 4.2bsd
Message-ID: <56@axiom.UUCP>
Date: Tue, 25-Jun-85 17:36:21 EDT
Article-I.D.: axiom.56
Posted: Tue Jun 25 17:36:21 1985
Date-Received: Thu, 27-Jun-85 07:42:32 EDT
References: <425@linus.UUCP> <121@ho95e.UUCP>
Distribution: net
Organization: Axiom Technology, Newton MA
Lines: 24

> Bill Stewart, AT&T Bell Labs, Holmdel NJ 1-201-949-0705 ihnp4!ho95c!wcs

> Protection Mechanism Under UNIX".  He wanted the same kind of flexibility you
> wanted, written in a portable way without kernel hacking.  So he invented
> Capa's.  A capa is a program you can give somebody which gives them permission

The problem with capa's is that although there is no kernel hacking
necessary, there is not complete security when using them, and more
importantly, many UNIX programs do not have the command line
interface that is required with them.  The philosophy of capa's, for those
who do not know, is to have a setuid program deal with opening files and
the capa (capability) is really a file descriptor passed to a normal
program from the setuid program (since UNIX allows them to be passed via
an exec).  I have done similar things with setuid programs in Linus III/IV
by having a setuid program become a resource manager.

I guess the point in both applications is that, when properly
administered, setuid programs can become extremely useful in creating
"domains" for handling least privilege concepts.  (They also can easily
defeat such purposes as we know.)
-- 
	--steve kramer
	{allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!axiom!smk	(UUCP)
	linus!axiom!smk@mitre-bedford					(MIL)