diff options
| author | Thomas Schwinge <tschwinge@gnu.org> | 2007-09-14 16:35:32 +0200 |
|---|---|---|
| committer | Thomas Schwinge <tschwinge@gnu.org> | 2007-09-14 16:35:32 +0200 |
| commit | 9cedf47ebaebf9224fbbb9670001567098943d79 (patch) | |
| tree | ad21162d63654cfc32babf8b4944f31febd22b0c /capability.mdwn | |
| parent | bef9a2b0c49d190d384f21e85e4f5e7728dfaac1 (diff) | |
Rename some pages to be more consistent.
Diffstat (limited to 'capability.mdwn')
| -rw-r--r-- | capability.mdwn | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/capability.mdwn b/capability.mdwn new file mode 100644 index 00000000..06d3cf4a --- /dev/null +++ b/capability.mdwn @@ -0,0 +1,40 @@ +[[license text=""" +Copyright © 2007 Free Software Foundation, Inc. + +Permission is granted to copy, distribute and/or modify this document under the +terms of the GNU Free Documentation License, Version 1.2 or any later version +published by the Free Software Foundation; with no Invariant Sections, no +Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included +in the section entitled [[GNU_Free_Documentation_License|/fdl.txt]]. + +By contributing to this page, you agree to assign copyright for your +contribution to the Free Software Foundation. The Free Software Foundation +promises to always use either a verbatim copying license or a free +documentation license when publishing your contribution. We grant you back all +your rights under copyright, including the rights to copy, modify, and +redistribute your contributions. +"""]] + +A capability is a protected reference. It is a reference in that +it designates an object; it is protected in that in cannot be +forged. A capabilities both designates the object it refers to and +carries the authority to manipulate it. + +By binding [[designation]] and [[authorization]] together, capabilities +simplify [[delegation]]. Imagine that program instance A wants to +tell program B to use a particular file to store some data. +Further imagine that A and B are running in different [[trust_domains]] +(e.g., with different UIDs). If A sends B just the name +of the file, B needs to first ensure that he does not accidentally +enable A to access the file on his own authority. That is, B wants +to protect against A hijacking his authority. (This problem is +refused to the [[confused_deputy]] problem.) Also, since A likely +sent a string to identify the file to B, the identifier lacks a +[[naming_context]] and therefore may resolve to a different object +than A intended. Be ensuring that [[designation]] and [[authorization]] are +always bound together, these problems are avoided. + +Unix file descriptors can be viewed as capabilities. Unix file +descriptors do not survive reboot, that is, they are not +[[persistent|persistency]]. To work around this, [[ACL]]s are used to +recover authority. |