VMS had an interesting approach to capabilities [LWN.net]

VMS had an interesting approach to capabilities

Posted Jan 18, 2007 18:23 UTC (Thu) by JoeBuck (subscriber, #2330)
Parent article: LCA: How to improve Debian security

I used to work with VMS way back in ancient times. The VMS documentation classified privileges according to the potential damage someone with the privilege could do. To quote a bit from this link:

Privileges fall into the following seven categories according to the damage that the user possessing them could cause the system:

None: No privileges
Normal: Minimum privileges to use the system effectively
Group: Potential to interfere with members of the same group
Devour: Potential to consume noncritical systemwide resources
System: Potential to interfere with normal system operation
Objects: Potential to compromise the security of protected objects (files, devices, logical name tables, global sections, and so on)
All: Potential to control the system

A process with no privileges can't use the network or communicate with other processes. As I recall, temporary mailboxes play a role in I/O, so I think a process with no privileges can't even open or close files or streams, but can only read and write from existing ones.

The large numbers of distinct privileges in the "All" category seems to me to reflect design mistakes: given any of about 10 privileges a bad guy can trivially obtain all the others, so the separation doesn't achieve much.

(Log in to post comments)