POSIX "capabilities" are fatally flawed in a way that real capabilities are not
Posted Dec 6, 2006 20:02 UTC (Wed) by zooko
Parent article: File-based capabilities
Please note that POSIX "capabilities" and Linux "capabilities" are a different security model from the model called "capabilities" among security researchers. It is unfortunate that because of this naming collision that the fatal flaws in the POSIX model will be held against the original capability model, which doesn't share these flaws.
A good example of such a fatal flaw is that in so-called "POSIX capabilities", increased granularity of protection implies increased cognitive load on the user/programmer/administrator. Corbet wisely questions the usefulness of this in the article.
By contrast, in the real capabilities framework such as originally published by Dennis and van Horn, and as implemented in EROS and in the E language, as well as other implementations, increased granularity of protection (compared to traditional Unix access control) comes with reduced cognitive load on the user/programmer/administrator. This may sound contradictory at first, but it is possible because the real capability framework takes advantage of information that is already present but that the other frameworks do not use to advantage. That is, the naming information.
All users, programmers, and administrators have to use names for things in order to organize their own work, and the real capability framework uses that naming information to bootstrap fine-grained, high-assurance protection which is intuitively meaningful to users and requires minimal "extra work". For the so-called "POSIX capabilities" framework (just like the ACL framework and others), adding protection requires adding extra work, which is never going to fly.
For more information, see the section on POSIX capabilities in http://zesty.ca/capmyths. If that section doesn't make sense to you by itself, the try reading the rest of the document up until that section. ;-)
to post comments)