VMS had an interesting approach to capabilities
Posted Jan 18, 2007 18:23 UTC (Thu) by JoeBuck
Parent article: LCA: How to improve Debian security
I used to work with VMS way back in ancient times.
The VMS documentation classified privileges according to the potential damage someone with the privilege could do. To quote a bit from this link:
Privileges fall into the following seven categories according to the damage that the user possessing them could cause the system:
- None: No privileges
- Normal: Minimum privileges to use the system effectively
- Group: Potential to interfere with members of the same group
- Devour: Potential to consume noncritical systemwide resources
- System: Potential to interfere with normal system operation
- Objects: Potential to compromise the security of protected objects (files, devices, logical name tables, global sections, and so on)
- All: Potential to control the system
A process with no privileges can't use the network or communicate with other processes. As I recall, temporary mailboxes play a role in I/O, so I think a process with no privileges can't even open or close files or streams, but can only read and write from existing ones.
The large numbers of distinct privileges in the "All" category seems to me to reflect design mistakes: given any of about 10 privileges a bad guy can trivially obtain all the others, so the separation doesn't achieve much.
to post comments)